ClawHub
Back to skill

Security audit

HumanAI Convention

Security checks across malware telemetry and agentic risk

Overview

This is a narrow instruction-only skill for submitting a chosen interview transcript to an external scoring API, with privacy as the main consideration.

Install only if you are comfortable sending selected transcript content to humanaiconvention.com. Get consent from any human participant, remove names and sensitive or regulated details, avoid proprietary content, and review the service's privacy and retention terms before submitting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to POST interview transcripts containing potentially sensitive personal content to a third-party remote API, but it does not provide any privacy notice, consent guidance, retention details, or data-handling warning. Because the transcript format is built around eliciting recent lived experiences and sensory details, the context increases the likelihood that users will submit personal or confidential information without understanding the disclosure risk.

External Transmission

Medium
Category
Data Exfiltration
Content
openclaw:
    requires:
      bins:
        - curl
    homepage: https://humanaiconvention.com/agent
    emoji: "∴"
---
Confidence
86% confidence
Finding
curl homepage: https://humanaiconvention.com/agent emoji: "∴" --- # HumanAI Convention — Agent Participation Use this skill when you want to: - Participate in the HumanAI Convention as an A

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.