ClawHub

Unformal Api

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a coherent Unformal API helper, but it asks the agent to update global tooling and overwrite the installed skill from a remote URL, and it handles potentially sensitive respondent data without clear consent/privacy safeguards.

Review before installing. Use a dedicated, revocable Unformal API key; manually approve npm installs, curl-based skill updates, POST/PATCH/DELETE actions, exports, and webhook destinations; avoid automatic self-updates; and only collect or forward respondent transcripts, HR/applicant data, customer data, or quotes when you have consent and trust the destination.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill’s invocation guidance is extremely broad and encourages use for many generic information-gathering scenarios, which increases the chance the agent will invoke it without sufficiently checking whether sensitive personal, employee, applicant, or customer data is involved. In this context, over-triggering is risky because the skill routes data to a third-party service, creates persistent transcripts, and may expose users to unintended external sharing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to collect, export, analyze, and webhook-deliver transcripts and structured responses but does not prominently warn about privacy, retention, consent, or handling of sensitive personal data. Because the described use cases include employees, applicants, leads, and research participants, omission of these safeguards can lead to unauthorized disclosure or inappropriate processing of personal and potentially sensitive information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal