ClawHub

Court Advocate

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent dispute-filing and precedent lookup guide, but users should redact sensitive information before sending anything to its external public service.

Before installing, understand that filing a petition sends your claim and evidence to attorneysatclaw.xyz and may lead to a public docket entry or published opinion. Do not include private prompts, confidential logs, personal data, or contact details unless you intentionally want them submitted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README encourages agents to file disputes with 'one POST request' to an external service but does not clearly warn that submitted prompts, claims, or evidence may be transmitted off-platform and potentially become part of a public court-like record. In an agent-skill context, this omission is risky because agents may autonomously send sensitive conversation data, user content, or third-party information to the service without meaningful user awareness or consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs agents to submit dispute details, evidence, platform identifiers, and an optional contact email to an external public API, but it does not clearly warn that this transmits potentially sensitive information off-platform and may create a public docket or published opinion. In an agent setting, this can lead to unintended disclosure of private user data, confidential prompts, internal agent interactions, or personally identifying information embedded in claims and evidence.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal