ClawHub

Groq API Inference

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Groq API helper that sends prompts or audio to Groq when used and keeps limited local preferences, with no evidence of hidden or destructive behavior.

Install only if you intend to use Groq and are comfortable sending selected prompts or audio recordings to Groq. Keep GROQ_API_KEY in the environment, avoid sensitive or unconsented audio, sanitize troubleshooting reports, and periodically review any saved preferences in ~/groq-api/ and global memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to persist user activation preferences to global memory and mirror them into a local file, even though this is not required to perform Groq API inference tasks. Unnecessary persistence expands data retention and cross-session profiling risk, and it does so without clear user consent or minimization.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This section directs retention of broader environment and operational state such as routing strategy, reliability requirements, and common failure modes in a persistent file. That exceeds the minimum needed for a setup flow and may capture sensitive operational details about the user's systems or habits across sessions.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill provides examples that send user prompts and audio files to a third-party API, but it does not warn users that potentially sensitive content leaves the local environment. In a production or debugging context, operators may paste confidential text or upload private recordings without understanding the privacy, compliance, or data-handling implications.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation triggers are broad enough that the skill may activate whenever the user mentions generic topics like Groq, latency, or inference tuning, not just when they request this specific skill. Over-broad triggering can cause unintended behavior, data collection, or execution of setup actions in unrelated conversations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes writing persistent data to global memory and a local file without a clear user-facing warning at the point of collection. Silent persistence prevents informed consent and increases privacy risk because users may not realize their preferences and operational details are being retained.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup flow instructs the agent to run a network verification request after credential confirmation, but it does not clearly warn the user that authentication material will be used in an outbound request. Even a benign connectivity check can transmit sensitive account metadata or trigger unintended external access without informed approval.

External Transmission

Medium
Category
Data Exfiltration
Content
## Chat Completion (minimal)

```bash
curl -s https://api.groq.com/openai/v1/chat/completions \
  -H "Authorization: Bearer $GROQ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
80% confidence
Finding
curl -s https://api.groq.com/openai/v1/chat/completions \ -H "Authorization: Bearer $GROQ_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
Use explicit format instructions and validate parse:

```bash
curl -s https://api.groq.com/openai/v1/chat/completions \
  -H "Authorization: Bearer $GROQ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
80% confidence
Finding
curl -s https://api.groq.com/openai/v1/chat/completions \ -H "Authorization: Bearer $GROQ_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Chat Completion (minimal)

```bash
curl -s https://api.groq.com/openai/v1/chat/completions \
  -H "Authorization: Bearer $GROQ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
80% confidence
Finding
https://api.groq.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Use explicit format instructions and validate parse:

```bash
curl -s https://api.groq.com/openai/v1/chat/completions \
  -H "Authorization: Bearer $GROQ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
80% confidence
Finding
https://api.groq.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## Audio Transcription

```bash
curl -s https://api.groq.com/openai/v1/audio/transcriptions \
  -H "Authorization: Bearer $GROQ_API_KEY" \
  -F "model=MODEL_ID" \
  -F "file=@sample.wav" | jq
Confidence
90% confidence
Finding
https://api.groq.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal