ClawHub

AI-powered DP Data Processing Pipeline Designer

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned for DP pipeline work, but it can use an API key to submit and start live data-processing jobs without enough execution and privacy controls.

Review before installing. Use only with a trusted HTTPS DP server and a scoped API key, require the agent to show the target server, XML, inputs, outputs, quota impact, and stop plan, and do not allow submit/start actions without explicit approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation text is broad enough to match common requests about pipelines, data flows, Flink, Kafka, and database writes, which increases the chance the skill is invoked when a user did not intend to authorize remote job design or submission. In this skill's context, that matters because the capability section explicitly includes generating, submitting, and monitoring runnable jobs against a live DP platform, making overbroad activation more risky than a purely advisory skill.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The purpose statement says the skill can design, generate, submit, and monitor pipelines, but it does not present a clear user-facing warning that it may create and start executable jobs on a remote platform. In this context, omission of that warning is dangerous because users may think they are only getting design help, while the skill is actually capable of causing operational changes in production-like systems.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents use of DP_SERVER_URL, DP_API_KEY, and mandatory authenticated curl calls, but it does not clearly warn users that pipeline definitions, resource references, and operational metadata will be transmitted to an external DP platform. That creates privacy and security risk because sensitive architecture details, connection identifiers, or business logic could be sent off-box without informed user consent.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal