ClawHub

Lurefish

Security checks across malware telemetry and agentic risk

Overview

This is a coherent fishing assistant that stores catch records locally and may use online weather/search lookups, with no evidence of hidden credential access, destructive behavior, or exfiltration.

Install if you are comfortable with fishing logs, locations, notes, and statistics being stored locally in ~/lurefish. Provide weather manually if you do not want the catch logger to contact wttr.in, and review or delete the ~/lurefish folder when you no longer want the records retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger terms are broad enough that the skill may activate on ordinary fishing-related conversation without clear user intent to use the skill. Unnecessary activation increases the chance of unsolicited file creation, web lookups, or tool usage, especially given the skill's write and shell-related behaviors.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown states that local directories and data files are created automatically, but it does not specify any warning, consent, or retention controls. Silent persistence on the user's home directory can expose privacy-sensitive location and activity data and violates least-surprise expectations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script automatically contacts wttr.in to fetch weather whenever weather is not provided, without clearly informing the user that an external network request will occur. This can leak metadata such as the user's IP address and request timing to a third party, which is a privacy issue even if no direct code-execution vector exists.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal