ClawHub

validate email

Security checks across malware telemetry and agentic risk

Overview

The installed validator code is local, but the documentation contradicts its privacy claims by showing cloud API examples that use an API key and transmit email addresses.

Install only if you intend to use the local handler, and avoid the Claw0x SDK or api.claw0x.com examples unless you are comfortable sending email addresses to that external service and managing a CLAW0X_API_KEY.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The documentation repeatedly promises 'local only' and 'no external API calls,' but later includes examples that invoke Claw0x cloud endpoints and use API keys. This can mislead users into transmitting email addresses and credentials off-device under a false privacy assumption, creating a real data-handling and trust issue.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The 'Under the Hood' section asserts that validation is purely local regex/string/array processing, yet the same document later provides remote invocation patterns that send user emails to an external service. Even if the skill itself can run locally, the contradictory guidance is security-relevant because operators may unknowingly expose sensitive personal data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The sample integrations show users how to submit email addresses and API keys to external Claw0x services without any warning that this is a network transmission. Because emails are personal data and API keys are sensitive secrets, omission of disclosure can cause unintentional data leakage and unsafe deployment decisions.

External Transmission

Medium
Category
Data Exfiltration
Content
### Custom Agent
```javascript
const response = await fetch('https://api.claw0x.com/v1/call', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${process.env.CLAW0X_API_KEY}`,
Confidence
88% confidence
Finding
fetch('https://api.claw0x.com/v1/call', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
### Custom Agent
```javascript
const response = await fetch('https://api.claw0x.com/v1/call', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${process.env.CLAW0X_API_KEY}`,
Confidence
88% confidence
Finding
https://api.claw0x.com/

VirusTotal

42/42 vendors flagged this skill as clean.

View on VirusTotal