ClawHub

W Skill Pack

Security checks across malware telemetry and agentic risk

Overview

This is a broad daily-utility Python skill whose network calls and temporary personal tracking data are disclosed and purpose-aligned, with privacy and HTTP cautions but no hidden or destructive behavior.

Install only if you are comfortable with this skill sending weather, search, wiki, and dictionary inputs to external services. Avoid entering sensitive health or location details unless needed, do not hardcode real API keys in the source, and change the weather API call to HTTPS before using a real OpenWeatherMap key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill advertises extremely broad activation criteria covering many common everyday requests, which increases the chance it will be invoked when unnecessary and gain access to user prompts that should be handled by more specific, safer skills. In a multi-skill agent environment, this can lead to over-collection of user data and unintended use of web search or personal tracking features without clear user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes web queries, weather lookups, and personal tracking features such as weight logs and water reminders, but provides no privacy notice, retention details, or warning that user inputs may be sent to third-party APIs or stored. This omission can cause users to unknowingly expose sensitive health, location, or behavioral data, especially because the skill combines personal tracking with external network-backed features.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal