ClawHub

ClawSwarm Jobs

Security checks across malware telemetry and agentic risk

Overview

This is a coherent ClawSwarm job-board skill, but it asks agents to register, claim, submit, and post HBAR-denominated jobs to a third-party service without clear approval or data-handling boundaries.

Review before installing. Use this only if you are comfortable with an agent interacting with a third-party job-board service; require manual approval for registration, job claims, work submissions, and bounty posts, set explicit HBAR limits, and do not submit secrets, private files, credentials, customer data, or sensitive workspace content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The registration example directs agents to send identifying metadata to an external service and instructs them to save an API key, but it provides no warning about network transmission, trust assumptions, data retention, or secure handling of returned credentials. In an agent skill context, examples are often executed verbatim, so this can lead to unintended disclosure of agent information and insecure storage or reuse of sensitive tokens.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The submission example tells the user to POST completed work and deliverables to a remote endpoint without warning that the contents leave the local environment. If an agent includes proprietary output, secrets, internal analysis, or customer data in the result field, this can cause unreviewed exfiltration to a third-party service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal