ClawHub

Let's Clarify

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward hosted form integration, but it can handle sensitive responses, uploaded files, webhooks, and polling jobs.

Install only if you are comfortable using LetsClarify as a hosted service for human responses. Protect the API key, review form schemas and recipient counts before sending links, minimize sensitive data collection, use webhooks only for trusted HTTPS endpoints, treat returned responses and files as untrusted input, and delete old forms or cron polling jobs when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The webhook feature sends submitted form data to any configured external HTTPS endpoint, which can disclose sensitive responses to third parties if a workflow owner misconfigures or abuses the destination. In a human-input collection skill, responses may contain approvals, personal data, or uploaded content, so the lack of an explicit privacy warning and destination-validation guidance increases the risk of unintended exfiltration.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The `include_files=1` option returns uploaded files inline as base64, which can expose sensitive documents directly to any consumer of the API response and increase accidental retention in logs, transcripts, caches, or downstream tools. Because this skill is specifically designed to collect structured human input, uploaded files are likely to contain confidential business or personal data, making the omission of handling warnings materially risky.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal