ClawHub

Clean HTTP Toolkit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent HTTP helper skill with disclosed, opt-in risky features that users should handle carefully.

Before installing, be comfortable with a local HTTP toolkit that can send authenticated requests and write downloads. Avoid --insecure when using tokens or passwords, keep the test server bound to 127.0.0.1 unless you intentionally expose it, and do not send real API keys, cookies, or personal data to echo mode unless you are prepared for them to be reflected in the response.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The fetch helper supports an allow_insecure mode that disables TLS certificate validation and hostname checking, enabling man-in-the-middle interception or modification of HTTPS traffic. In an HTTP client toolkit intended for agents, this is more dangerous because downstream callers may expose credentials, tokens, or downloaded content to untrusted networks if they enable this flag without strong warnings and tight scoping.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
In echo mode, the server returns the full incoming headers and request body to the client and may also expose them through access/logging workflows. This can unintentionally capture and reflect credentials, cookies, API keys, or PII during webhook testing, especially because this toolkit is specifically intended for agent-driven HTTP interactions where secrets are commonly sent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal