ClawHub

Cloud Storage

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only cloud storage guide with expected credential and bulk-operation cautions, not evidence of hidden or malicious behavior.

Install only if you are comfortable letting an agent help with cloud storage workflows. Use least-privilege credentials, prefer managed identity or short-lived credentials when available, avoid pasting real secrets into chat or logs, and require explicit review before bulk transfers, permission changes, or deletes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation includes examples for exporting AWS access keys and storing them in ~/.aws/credentials, but it does not explicitly warn that these are sensitive secrets that can leak through shell history, terminal logs, screenshots, copied config files, or shared developer environments. In an authentication setup guide, showing raw secret-handling patterns without strong cautions can normalize insecure operational practices and increase the chance of credential exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide instructs users to set GOOGLE_APPLICATION_CREDENTIALS to a service-account key file, which is a long-lived credential artifact, without prominently warning about key theft, accidental inclusion in images or repos, and the preference for keyless mechanisms. Although the text later mentions preferring Workload Identity, the example still presents key-file use as a normal setup path without sufficient handling precautions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Azure section shows exporting AZURE_CLIENT_SECRET directly in the shell without warning that environment variables can be exposed in shell history, process inspection, CI logs, crash dumps, or shared sessions. In a cloud-storage skill that manages provider authentication, this omission is more dangerous because users are likely to copy-paste these commands into real environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal