ClawHub

product-doc-hub

Security checks across malware telemetry and agentic risk

Overview

This is a static product documentation and API-console template; its risky areas are disclosed product/API examples rather than hidden behavior.

Install is reasonable if you want a documentation/API-console template. Before adapting it for real users, add explicit warnings for mutating API calls, use staging endpoints by default, avoid putting long-lived secrets in front-end files, and document consent, retention, and deletion controls for tracking and uploaded media.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly promotes an API Console that can send real HTTP requests, but it does not warn users that those requests may hit production systems, transmit sensitive data, or create/modify live resources. In a reusable skill intended for broad adoption, this omission increases the chance of unsafe testing against real endpoints and accidental operational impact.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The quick-start flow encourages copy-paste setup and immediate request execution without any notice that configured endpoints can retrieve, create, update, or delete real data. Because the sample includes POST and user-management APIs, users may unintentionally perform state-changing actions against live backends.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The API console advertises a telemetry endpoint for event reporting without any user-facing disclosure that using the console may transmit analytics or behavioral data. In an interactive documentation tool that can send real requests, this can cause unsuspecting users to submit potentially sensitive event payloads to a live collection endpoint, creating privacy and compliance risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The page displays full API keys in the DOM and allows one-click copying of complete secrets, including newly generated keys, without masking, one-time reveal handling, or warnings. In a browser context this increases the chance of credential exposure through shoulder surfing, screenshots, DOM inspection, malicious extensions, shared devices, or accidental disclosure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document explicitly states there is automatic tracking that records the full user operation path, but it does not mention consent, notice, retention, or access controls. In the context of a product skill handling user-generated media and behavior analytics, silent telemetry can expose sensitive behavioral and operational data and create privacy/compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The flow describes uploading user videos to COS, processing them through cloud services, and later exposing output URLs, but provides no warning about external transfer, storage duration, or handling of potentially sensitive media. Because the product processes user videos and derived artifacts through multiple cloud components, absent disclosure and retention controls increases privacy, confidentiality, and regulatory risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal