ClawHub

daily.dev

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only daily.dev API skill whose sensitive behaviors are disclosed and purpose-aligned, but users should approve repository scans, account changes, and any scheduled use.

Install this if you are comfortable giving an agent a daily.dev API token. Store the token securely, use it only with api.daily.dev, require confirmation before profile/feed/bookmark changes, and do not allow GitHub scans or scheduled/background runs without a clear scope.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases include broad natural-language requests such as general research or trending-topic prompts without strong activation boundaries. In an agent environment, this can cause unintended invocation of the skill and unnecessary outbound calls or account-scoped actions when the user did not clearly intend to use daily.dev.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill explicitly references scheduled operation and agent background processes, but does not define user-consent, scope, cadence, or stopping conditions. That creates a risk of persistent or repeated autonomous invocation, which can lead to privacy issues, surprise network activity, and repeated use of authenticated APIs without a fresh user decision.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill proposes scanning a user's GitHub repositories and activity to infer stack, profile, and interests, but it does not present a clear privacy notice, consent checkpoint, or minimization guidance. This can expose private repository metadata, contribution patterns, and other sensitive developer information to the agent and downstream service actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal