ClawHub

BotSee

Security checks across malware telemetry and agentic risk

Overview

The BotSee skill is a coherent API integration, but users should handle its API key, payment flows, and delete/archive commands carefully.

Install only if you trust BotSee with your BotSee account data and want an agent to manage that account. Do not paste API keys into ordinary chat despite the stale README examples; prefer the signup-status flow or a deliberate local CLI invocation. Keep BOTSEE_BASE_URL unset unless testing a trusted BotSee endpoint, and confirm payment amounts, wallet/proof details, UUID targets, and archive/delete actions before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Tainted flow: 'req' from os.environ.get (line 113, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
ssl_context.verify_mode = ssl.CERT_REQUIRED

    try:
        with urllib.request.urlopen(req, timeout=timeout, context=ssl_context) as resp:
            raw = resp.read()
            response_data = json.loads(raw) if raw else {}
            payment_headers = extract_payment_headers(resp.headers)
Confidence
91% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout, context=ssl_context) as resp:

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The README explicitly instructs users to paste a live API key into chat so the assistant can save it. Chat is a poor credential-entry channel because secrets may be retained in logs, transcripts, screenshots, or downstream tooling, and the documentation provides no warning or safer alternative.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Showing even a partial API key prefix in status output normalizes credential display and increases the chance of accidental disclosure via screenshots, logs, or copied terminal output. While a prefix alone is not usually sufficient to authenticate, exposing any secret material unnecessarily weakens operational security.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation states that signup completion automatically saves the API key to ~/.botsee/config.json, but does not prominently warn the user that a credential will be written to disk. Storing long-lived secrets locally without explicit notice or guidance increases the risk of credential exposure through weak filesystem permissions, backups, shared machines, or subsequent tooling access.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The direct API-key save flow persists a bearer credential to ~/.botsee/config.json without clearly warning the user or reusing the more secure save_user_config path. Although file mode is later set to 0600, silent credential persistence increases the chance of unintended long-term secret retention, backup leakage, or use on shared systems.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill exposes archive and delete operations as routine commands without instructing the agent to require explicit user confirmation before performing destructive actions. In an agent setting, this increases the risk of accidental or unauthorized data loss, especially because UUID-based targets can be supplied programmatically and the document frames the commands as normal workflow actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that the API key is automatically saved to ~/.botsee/config.json without a prominent warning about local credential persistence, file permissions, or shared-environment risk. This can expose long-lived credentials to other local users, backups, logs, or workspace automation that reads from home-directory config files.

Ssd 3

Medium
Confidence
98% confidence
Finding
The documentation directs users to disclose secrets in a conversational channel and states that Claude will automatically persist them. This creates avoidable secret-handling risk because the value may be stored in message history or surfaced to other tools and users with access to transcripts.

Ssd 3

Medium
Confidence
99% confidence
Finding
These signup instructions repeatedly tell users to paste a live API key into chat messages and confirm it will be saved automatically. That is unsafe secret handling guidance because it encourages credential disclosure through a channel that may be logged, retained, or observed outside the user's immediate control.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal