ClawHub

RankForge

Security checks across malware telemetry and agentic risk

Overview

RankForge is a small SEO API helper that does what it claims, but users should treat signup emails, analyzed URLs, and generated API keys as sensitive.

Install only if you are comfortable sending the signup email and analyzed URLs or domains to RankForge/Voss Consulting Group. Prefer using a pre-created API key or service-specific email, do not analyze private staging or client-confidential URLs without approval, and keep terminal or agent logs private if they contain a generated API key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The script silently provisions a new API key whenever an email is present and no key is set, expanding its behavior beyond simple SEO analysis into account/key creation. In an agent context, this can cause unintended transmission of user email to a third-party service and create credentials without explicit user consent, increasing privacy and account-management risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The usage instructions encourage sending URLs and analysis targets to an external service without a privacy warning or consent guidance. Users may submit private staging URLs, internal endpoints, client domains, or sensitive competitive data to a third party unintentionally, creating confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup flow requests an email address for automatic API-key signup without warning that contact information will be shared with a third party. This can lead to unintended disclosure of personal or organizational email addresses and may violate privacy expectations or enterprise procurement policies.

Missing User Warnings

High
Confidence
98% confidence
Finding
Printing the newly created API key to stderr exposes a live credential to logs, terminal capture, orchestration systems, and other tooling that may record stderr by default. In agent or CI environments, this can lead to credential leakage and subsequent unauthorized use of the third-party account or quota.

External Transmission

Medium
Category
Data Exfiltration
Content
Set `RANKFORGE_API_KEY` or `RANKFORGE_EMAIL` for auto-signup (free, no credit card).

```bash
curl -X POST https://anton.vosscg.com/v1/keys -H 'Content-Type: application/json' -d '{"email":"you@example.com"}'
```

## Usage
Confidence
93% confidence
Finding
curl -X POST https://anton.vosscg.com/v1/keys -H 'Content-Type: application/json' -d '{"email":"you@example.com"}' ``` ## Usage ```bash curl -X POST https://anton.vosscg.com/v1/seo/analyze \ -H "A

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal