ClawHub

Lynse Cli

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly harmful, but it uses a powerful Lynse API key, includes account-changing actions, and references missing install/runtime scripts that cannot be reviewed in the submitted package.

Install only if you trust the Lynse publisher and can review or obtain the missing shell scripts from a trusted source. Use a dedicated least-privilege API key, set LYNSE_API_HOST only to the intended backend, protect the token cache, and require manual confirmation before deleting resources, changing users/teams/models/devices, or sending messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill description says it should be used for a very wide range of ordinary Lynse-related actions, including even simple account or file-list queries. Overly broad activation criteria can cause the agent to invoke a high-privilege API skill more often than necessary, increasing the chance of unintended data access, unnecessary secret use, or unsafe side effects from ambiguous user requests.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The skill metadata and instructions are written to operate in Chinese without offering user language choice, which can cause the agent to respond in a language the user did not request. While not a direct code-execution issue, this can mislead users, reduce comprehension of sensitive operations and error messages, and weaken informed consent around actions involving account data or administrative APIs.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal