ClawHub

Domain Trust Check

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward URL and domain reputation checker that uses a disclosed third-party API, with privacy and setup caveats users should understand.

Install only if you trust Outtake with the URLs you ask it to analyze. Avoid submitting password-reset links, private document links, internal hostnames, or URLs with sensitive query parameters; strip or redact those parts first when possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill's stated purpose is URL/domain safety checking, but it also includes a registration workflow that collects identity details and obtains a reusable API key. That broadens the capability from simple scanning to account creation and credential provisioning, which is unnecessary for many uses and can cause unauthorized external account creation or disclosure of user/agent metadata to a third party.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The API reference instructs callers to submit full URLs to a third-party service but does not warn that those URLs may contain sensitive data such as private document links, password-reset tokens, email tracking parameters, or internal hostnames. In a URL safety-checking skill, users are especially likely to paste untrusted links copied from messages or enterprise systems, so omission of a privacy warning can lead to inadvertent disclosure of sensitive information to the external provider.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal