ClawHub

User Interview

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it handles a Usercall API key and external data transfer in ways users should review carefully before installing.

Review before installing. Use a non-printing API key check instead of echoing the key, prefer a session-scoped or secret-manager credential over adding it to shell startup files, and confirm that any research goals, business context, customer details, prototype links, or images are intended to be shared with Usercall before running the study creation command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to send user-supplied research goals, business context, and optional prototype/image URLs to a third-party service, while authenticating with a bearer API key, but it does not require an explicit user-facing notice or consent step about external data transfer. This is risky because users may not realize potentially sensitive product, customer, or prototype information is leaving the local environment and being processed by Usercall.

External Transmission

Medium
Category
Data Exfiltration
Content
## Step 3 — Create the study

```bash
curl -s -X POST https://app.usercall.co/api/v1/agent/studies \
  -H "Authorization: Bearer $USERCALL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '<json>'
Confidence
97% confidence
Finding
curl -s -X POST https://app.usercall.co/api/v1/agent/studies \ -H "Authorization: Bearer $USERCALL_API_KEY" \ -H "Content-Type: application/json" \ -d '<json>' ``` JSON body: ```json { "key_

Session Persistence

Medium
Category
Rogue Agent
Content
> To use openclaw you need a Usercall API key.
>
> **1. Sign up at https://app.usercall.co**
> Go to Home → Developer → Create API key
>
> **2. Set your API key**
> ```bash
Confidence
85% confidence
Finding
Create API key > > **2. Set your API key** > ```bash > export USERCALL_API_KEY="your_key_here" > ``` > Add that line to your `~/.zshrc` or `~/.bashrc

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal