ClawHub

Cloud Storage Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud storage helper, but users should treat its cloud credentials and delete/sync features carefully.

Install only if you are comfortable giving an agent access to the named cloud storage accounts. Use least-privilege credentials limited to specific buckets, containers, and prefixes; avoid production-wide keys; test sync and delete operations on non-critical data; and review the complete storage/sync implementation before relying on it because the submitted artifact does not include those modules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation presents a destructive synchronization option (`delete_remote=True`) without any warning, confirmation guidance, or explanation that remote objects not present locally will be deleted. In a cloud storage management skill, this can directly lead to irreversible data loss if a user copies the example into production or misunderstand the direction/scope of sync behavior.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill documents raw cloud credential environment variables but does not warn users against hardcoding, logging, sharing, or committing secrets. Because this skill is specifically for managing multiple cloud providers, users are likely to handle highly privileged credentials, so omission of basic secret-handling guidance increases the risk of credential exposure and subsequent unauthorized access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal