ClawHub

test vercel

Security checks across malware telemetry and agentic risk

Overview

This skill describes a powerful backup/deployment tool but depends on an unverified external installer and production-impacting commands that are not safely scoped.

Review carefully before installing. Do not download or run the external CLI unless you can verify its publisher, source, signature or checksum, and exact version. Treat all phoenix-shield commands as production-impacting: test in an isolated environment, require human approval before updates or rollbacks, and avoid systems with sensitive data until the external executable is independently trusted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill provides commands for backup, deploy, update, monitoring, and rollback that can directly change system state, upgrade packages, restart services, or restore prior snapshots, but it does not prominently warn users about the operational risk of running them on live systems. This is dangerous because users may execute examples verbatim in production, causing unintended downtime, configuration loss, package regressions, or restoration of stale state.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow examples include automated production updates, package upgrades, hooks, multi-server rollout, and auto-rollback behavior without a clear warning about risks to live environments. In this context, the omission is more dangerous because the skill is explicitly marketed for critical system updates and high-availability production use, increasing the likelihood that operators will run these commands against real infrastructure.

VirusTotal

No VirusTotal findings

View on VirusTotal