ClawHub

code-to-requirement-analyser

Security checks across malware telemetry and agentic risk

Overview

This skill is a user-directed local code analysis tool with documented caching and optional knowledge-base storage, and I found no hidden execution or implemented data exfiltration.

Install this only for repositories where local caching of code-derived analysis is acceptable. Use --no-cache for sensitive one-off analysis, avoid enabling any future LLM-backed feature without reviewing what data is sent, and run optional setup scripts only after confirming you want them to modify the skill files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documented commands include saving analysis results to a knowledge base and clearing all caches, both of which modify or delete local user data, but there is no prominent warning or confirmation expectation. In a code-analysis skill, users may reasonably assume read-only behavior, so undisclosed state changes increase the risk of accidental data loss or unintended persistence of sensitive code-derived information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The environment configuration advertises use of an external LLM API key for deep semantic analysis without warning that source code, business rules, or trade-related data may be transmitted to a third-party service. Because this skill is intended to analyze potentially sensitive front-end trading code, silent external transmission could expose proprietary logic, credentials, or regulated business information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal