ClawHub

Nimble Real-Time Web Intelligence Tools

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Nimble CLI integration for web search, extraction, mapping, and crawling, but users should be aware it routes broad web tasks through a third-party service using their API key.

Install only if you want Nimble to handle web research through your Nimble account. Use a dedicated API key, avoid exposing it in logs or shared files, watch quota usage, set explicit crawl limits, and avoid invasive person-research or scraping targets where you lack authorization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

High
Confidence
96% confidence
Finding
The skill declares itself as the DEFAULT for virtually all web search and research requests and includes very broad trigger phrases like "find", "look up", and "what is," which overlap heavily with ordinary user language. In an agent system that auto-selects skills from descriptions, this can cause the skill to activate far more often than intended, overriding safer built-in tools and expanding the trusted execution surface to an authenticated external CLI for many unrelated prompts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to place the API key in environment variables and a local settings file but does not warn that the credential is sensitive, should not be hardcoded, logged, committed, or shared in transcripts. In agent environments, omission of credential-handling guidance increases the chance of accidental exposure through shell history, config sync, repo commits, or debugging output.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The guidance explicitly recommends researching people via social platforms and parallel general searches, but it provides no privacy, consent, or acceptable-use boundaries. In a web-intelligence skill that is the default for search and extraction tasks, this can normalize doxxing, profiling, or intrusive aggregation of personal data from multiple sources.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal