ClawHub

Oblien workspace runtime

Security checks across malware telemetry and agentic risk

Overview

This is a high-privilege Oblien runtime API reference, but its file, command, terminal, watcher, and token behavior is disclosed and aligned with its stated purpose.

Install this only if you want your agent to understand and operate an Oblien workspace runtime. Treat it as high-privilege documentation: keep real client secrets and bearer tokens out of prompts, logs, terminal history, and shared outputs; enable public gateway access only when needed; prefer scoped paths; and review file deletion, command execution, and long-running task operations before allowing impactful changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill prominently documents root-level file write, delete, terminal, and command-execution capabilities but does not pair them with strong safety guidance about destructive actions, persistence, or approval requirements. In a skill intended for agent use, omission of these cautions materially increases the chance of accidental data loss or unsafe modification of the workspace.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The authentication section includes gateway JWTs, raw connection tokens, client IDs, and client secrets in examples without clear instructions to treat them as secrets, avoid logging them, and avoid exposing them in chat, code, or terminal history. Because these credentials grant access to powerful runtime APIs, poor handling could enable unauthorized workspace access, command execution, or file exfiltration.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal