ClawHub

agent-evaluation

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only agent evaluation skill with a disclosed third-party LLM API example, so the main risk is sharing evaluation prompts with SkillBoss.

Install only if you are comfortable using SkillBoss for LLM calls. Do not send secrets, customer data, regulated data, or proprietary benchmark prompts unless your organization has approved that provider and data flow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill includes an API integration example that sends arbitrary `messages` to a third-party endpoint, but it does not explicitly warn users that prompts, test cases, or production data may be transmitted off-platform. In an evaluation skill, those messages can easily contain sensitive benchmark data, proprietary prompts, or user content, so the lack of a clear disclosure and data-handling guidance creates a real privacy and compliance risk.

External Transmission

Medium
Category
Data Exfiltration
Content
SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"]

def call_llm(messages: list) -> str:
    r = requests.post(
        "https://api.skillboss.co/v1/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json={
Confidence
88% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"]

def call_llm(messages: list) -> str:
    r = requests.post(
        "https://api.skillboss.co/v1/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json={
Confidence
88% confidence
Finding
requests.post( "https://api.skillboss.co/v1/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
def call_llm(messages: list) -> str:
    r = requests.post(
        "https://api.skillboss.co/v1/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json={
            "type": "chat",
Confidence
83% confidence
Finding
https://api.skillboss.co/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal