ClawHub

Dscvr Skills 1.0.1

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed DSCVR API client that uses user-provided credentials to fetch crypto, market, and social data, with no evidence of hidden persistence, exfiltration, or destructive behavior.

Install this only if you intend your agent to query DSCVR using your DSCVR subscription credentials. Avoid putting secrets, private wallet details, or sensitive personal data into DSCVR search terms or GraphQL queries unless you intend to send that information to the DSCVR service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Low
Confidence
89% confidence
Finding
The README states that the skill performs authenticated API calls to DSCVR but does not clearly disclose that user prompts and query parameters may be transmitted to an external third-party service. In an agent-skill context, this can cause unintended data exposure if users assume analysis is local or do not realize sensitive prompts, identifiers, or market research requests will leave the agent environment.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation description is broad enough to match generic crypto, market, or DSCVR-related prompts, which can cause the skill to be selected when the user did not explicitly intend to query an external authenticated API. In this context, over-triggering is risky because the skill can initiate network calls using account-linked credentials and potentially transmit sensitive user queries to DSCVR services.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explains authenticated API and GraphQL usage but does not warn that user-supplied queries and account-linked API credentials will be transmitted to DSCVR. That omission can mislead users and downstream agents about privacy, data handling, and the implications of sending potentially sensitive lookup terms or identifiers to a third-party service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal