ClawHub

API Mock Server

Security checks across malware telemetry and agentic risk

Overview

This is a normal local API mock server with some dependency and network-exposure caveats, but no artifact evidence of hidden egress, credential use, persistence, or destructive behavior.

Install in a virtual environment, pin or lock dependencies before CI or shared-team use, and run the server with --host 127.0.0.1 unless you deliberately want other machines to reach it. Do not assume webhook simulation exists in this version without reviewing or adding that feature.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (9)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises webhook simulation, which strongly implies the ability to send outbound HTTP requests to user-specified endpoints, but it does not disclose that behavior or warn about its effects on external systems. In an agent setting, this omission can lead users to invoke the skill in environments where unsolicited network access, SSRF-like behavior, or unintended calls to production services are risky.

Unpinned Dependencies

Low
Category
Supply Chain
Content
Flask>=2.3.0
Faker>=19.0.0
jsonschema>=4.17.0
requests>=2.31.0
Confidence
97% confidence
Finding
Flask>=2.3.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
Flask>=2.3.0
Faker>=19.0.0
jsonschema>=4.17.0
requests>=2.31.0
pytest>=7.0.0
Confidence
96% confidence
Finding
Faker>=19.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
Flask>=2.3.0
Faker>=19.0.0
jsonschema>=4.17.0
requests>=2.31.0
pytest>=7.0.0
Confidence
96% confidence
Finding
jsonschema>=4.17.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
Flask>=2.3.0
Faker>=19.0.0
jsonschema>=4.17.0
requests>=2.31.0
pytest>=7.0.0
Confidence
97% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
Faker>=19.0.0
jsonschema>=4.17.0
requests>=2.31.0
pytest>=7.0.0
Confidence
94% confidence
Finding
pytest>=7.0.0

Known Vulnerable Dependency: Flask — 8 advisory(ies): CVE-2025-47278 (Flask uses fallback key instead of current signing key); CVE-2018-1000656 (Flask is vulnerable to Denial of Service via incorrect encoding of JSON data); CVE-2019-1010083 (Pallets Project Flask is vulnerable to Denial of Service via Unexpected memory u) +5 more

High
Category
Supply Chain
Confidence
92% confidence
Finding
Flask

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
93% confidence
Finding
requests

Known Vulnerable Dependency: pytest — 1 advisory(ies): CVE-2025-71176 (pytest has vulnerable tmpdir handling)

Low
Category
Supply Chain
Confidence
79% confidence
Finding
pytest

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal