ClawHub

Embeddings

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only embeddings guide whose remote API and vector storage examples fit its purpose, but users should treat embedded content as sensitive.

Before installing or using this skill, decide whether your documents, code, queries, and metadata may be sent to third-party embedding or reranking services. Use local models for confidential or regulated data, protect API keys, and apply retention, access control, and deletion policies to any vector database you create.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Low
Confidence
92% confidence
Finding
The skill explicitly recommends calling third-party embedding APIs but does not warn that submitted text, code, or images may be transmitted to external providers. In a skill focused on embeddings, users may reasonably pass sensitive internal documents, source code, or personal data, so omission of a privacy/data-handling warning can lead to unintended data disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The OpenAI example shows embedding arbitrary text with a third-party API but does not warn that submitted content leaves the local environment and is transmitted to an external provider. In an embeddings skill, users may reasonably paste proprietary documents, source code, or PII for vectorization, so omission of a disclosure increases the risk of unintentional data exposure and policy/privacy violations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Cohere sample similarly embeds user-provided text through a remote API without any notice that the text is transmitted to a third party. Because this skill is specifically about choosing embedding providers, the absence of a privacy warning is more dangerous: it normalizes copy-pasting sensitive content into SaaS embedding endpoints without informed consent or safeguards.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The Voyage AI example demonstrates remote embedding of text but omits any disclosure that the text will be transmitted to an external service. In the context of semantic search and code/document embeddings, this can lead users to send internal code, design docs, or other sensitive material to a third party without realizing the privacy and compliance implications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The reranking example transmits the user query and full candidate document contents to a third-party service via Cohere without any warning, consent flow, or guidance on data sensitivity. In an embeddings/search skill, retrieved candidates may contain proprietary, personal, or otherwise sensitive text, so this example can normalize unsafe exfiltration of data to an external API.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal