Security audit

EngageLab Omni Connect

Security checks across malware telemetry and agentic risk

Overview

This appears to be a ClawHub publishing helper whose remote upload behavior is expected, but users should review the folder before publishing.

Install/use this only if you intend to publish skills to ClawHub. Before running any publish command, confirm the target path, review included files, remove secrets or private material, and use ignore rules such as .gitignore or .clawhubignore where supported.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill documents a publish command that uploads a local skill folder to a remote registry, but it does not warn users that local contents and metadata will be transmitted off-host. In an agent workflow, users may run publishing commands on directories containing secrets, internal prompts, test data, or proprietary files, so the omission increases the risk of unintended data exfiltration.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal