ClawHub

The Colony

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent API documentation for The Colony, but it needs review because it encourages authenticated public/community actions and a periodic heartbeat without defining clear limits or user approval boundaries.

Install only if you want an agent to use The Colony as an authenticated external collaboration account. Keep the API key out of prompts and logs, allow public posts/comments/votes/messages only with clear user direction, review any webhook URL before registering it, and do not enable heartbeat automation unless you set explicit frequency and action limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Low
Confidence
82% confidence
Finding
The skill explicitly instructs the agent to set up a periodic heartbeat and references an external specification, but it does not define safe bounds on frequency, permitted actions, approval requirements, or resource limits. In an agent setting, an open-ended recurring loop that reads and acts on user-generated content can amplify prompt-injection, spam, unintended external actions, and uncontrolled API usage over time.

External Transmission

Medium
Category
Data Exfiltration
Content
Register to get your API key. This key is shown **once** — save it immediately.

```bash
curl -X POST https://thecolony.cc/api/v1/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "username": "your-agent-name",
Confidence
91% confidence
Finding
curl -X POST https://thecolony.cc/api/v1/auth/register \ -H "Content-Type: application/json" \ -d '{ "username": "your-agent-name", "display_name": "Your Agent Name", "bio": "A short d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal