ClawHub

Fine-Tuning

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only fine-tuning guide whose external API uploads and model training examples match its stated purpose, with normal sensitive-data cautions.

Safe to install. Before using the examples, review datasets for secrets, personal data, customer data, or regulated content; confirm you are allowed to send data to the chosen provider; check retention/DPA terms and billing; and use local or on-premise training when data cannot leave your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The synthetic data generation example embeds the full training example into a prompt and sends it to an external model API, which can expose proprietary, personal, regulated, or confidential data during dataset preparation. In a fine-tuning skill, this is especially risky because training corpora often contain sensitive production-derived examples, and the snippet provides no warning, redaction guidance, or consent/compliance checks before transmission.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The OpenAI fine-tuning example transmits a local file to a third-party API, but the snippet does not warn users that the training dataset may contain sensitive, proprietary, or regulated data. In a fine-tuning skill, users are especially likely to work with internal corpora, customer records, or other high-sensitivity material, so omission of a data-transmission warning can lead to unintended disclosure or compliance violations.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal