ClawHub

Russian Humanizer

Security checks across malware telemetry and agentic risk

Overview

This skill is a Russian text-editing helper with a disclosed optional external Glavred check; users should avoid that external tool for confidential text.

Install only if you want a Russian text-editing and AI-cliché detector. Use the local analyzer and auto-fix tools for confidential writing; use analyze_glavred only when you are comfortable sending the full submitted text to glvrd.ru. Avoid placing the bundled anti-slop prompt in global assistant instructions unless you want that style applied broadly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill description does not disclose that user text may be sent to a third-party service, yet the code adds an external Glavred integration. In a text-processing skill, users may reasonably expect local handling; undisclosed remote transmission creates a privacy and trust risk, especially if sensitive text is analyzed.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code submits user-provided text to api.glvrd.ru, which is an external third party unrelated to core local text cleanup. If users paste confidential drafts, personal data, or proprietary content, that content leaves the host environment and may be logged, retained, or processed under unknown policies.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises integration with the external glvrd.ru API but does not clearly warn that user text may be transmitted to a third-party service. In an agent context, this can lead to inadvertent disclosure of sensitive prompts, drafts, or personal data if users or operators assume all processing is local.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Although the tool description mentions Glavred, the transmission point does not enforce an explicit confirmation or consent gate before sending the user's text off-platform. In agent environments, tool descriptions are often not enough to ensure informed consent, so sensitive input can be exfiltrated unintentionally through normal use.

External Transmission

Medium
Category
Data Exfiltration
Content
const sessionParams = new URLSearchParams();
                  sessionParams.append('app', 'openclaw_humanizer_plugin');
                  
                  const sessionRes = await fetch("https://api.glvrd.ru/v2/session", {
                      method: "POST",
                      headers: { "Content-Type": "application/x-www-form-urlencoded" },
                      body: sessionParams.toString()
Confidence
90% confidence
Finding
fetch("https://api.glvrd.ru/v2/session", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
checkParams.append('session', sessionData.session);
                  checkParams.append('text', text);

                  const checkRes = await fetch("https://api.glvrd.ru/v2/check", {
                      method: "POST",
                      headers: { "Content-Type": "application/x-www-form-urlencoded" },
                      body: checkParams.toString()
Confidence
98% confidence
Finding
fetch("https://api.glvrd.ru/v2/check", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
const sessionParams = new URLSearchParams();
                  sessionParams.append('app', 'openclaw_humanizer_plugin');
                  
                  const sessionRes = await fetch("https://api.glvrd.ru/v2/session", {
                      method: "POST",
                      headers: { "Content-Type": "application/x-www-form-urlencoded" },
                      body: sessionParams.toString()
Confidence
90% confidence
Finding
https://api.glvrd.ru/

External Transmission

Medium
Category
Data Exfiltration
Content
checkParams.append('session', sessionData.session);
                  checkParams.append('text', text);

                  const checkRes = await fetch("https://api.glvrd.ru/v2/check", {
                      method: "POST",
                      headers: { "Content-Type": "application/x-www-form-urlencoded" },
                      body: checkParams.toString()
Confidence
98% confidence
Finding
https://api.glvrd.ru/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal