ClawHub

Generate Alias

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent company-alias generator, with optional web lookups that users should avoid for confidential company names.

Reasonable to install for offline alias generation. Keep the default offline mode for sensitive or pre-public company names, and only run the web-search helpers when it is acceptable for those names to appear in third-party service logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad enough that ordinary user requests about companies, keywords, or nicknames could unintentionally activate the skill outside its intended context. In agent environments with automatic tool/skill routing, this can cause inappropriate processing of user input and unexpected downstream actions, especially when combined with optional network features.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The online mode explicitly enables Wikipedia/network access but does not clearly disclose that enterprise names or related query terms may be sent to external services. This creates a data handling and privacy transparency issue, and in some environments may violate policy or user expectations even if the transmitted data is not highly sensitive.

Missing User Warnings

Low
Confidence
83% confidence
Finding
If `USE_WIKI` is enabled, the function sends company names to Wikipedia over the network, which can disclose potentially sensitive input data to a third party without explicit caller consent or prominent disclosure. The risk is limited because the feature is disabled by default and only transmits company names, but in some deployments those names may still be confidential or regulated business information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill sends the user-provided company name to Baidu, Qichacha, and related external services without explicit consent, privacy notice, or configuration to disable network lookups. In an agent setting, company names may be sensitive business context, so this can leak user intent, internal targets, or confidential investigation subjects to third parties and their logs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal