ClawHub

Local System Info (Iyeque)

Security checks across malware telemetry and agentic risk

Overview

This is a read-only local system monitor; its process list can reveal usernames and running programs, but that matches the disclosed purpose.

Install only if you are comfortable letting the agent read local system metrics. Avoid using the processes action on shared or sensitive machines unless you are okay with exposing running program names and local usernames in the session. In controlled environments, install psutil from an approved package source or pin an approved version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly exposes a process-listing feature that returns running process names, PIDs, usernames, CPU usage, and memory usage, but the documentation does not warn that this is sensitive host information. In many environments, process names and usernames can reveal installed software, active workloads, account names, security tools, or secrets embedded in command lines in adjacent implementations, increasing host fingerprinting and privacy risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The process listing returns per-process metadata including usernames, process names, PIDs, CPU usage, and memory usage, which can reveal sensitive information about other users and running software on the host. In an agent skill context, exposing this data without access controls, minimization, or user disclosure increases host fingerprinting and privacy risk, especially on multi-user or shared systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal