ClawHub

Skill

Security checks across malware telemetry and agentic risk

Overview

This messaging relay appears purpose-aligned, but it asks users to share sensitive workspace keys and to disable command approvals in ways that deserve review before installation.

Install only if you trust the relay service and npm packages, understand that workspace keys are credentials, and can limit who receives invite or observer URLs. Avoid enabling tools.exec.security full with tools.exec.ask off unless you intentionally want a headless agent to run commands without prompts; prefer least-privilege settings, rotate exposed rk_live or gateway tokens, and keep relay config files private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill instructs operators to disable execution approvals (`tools.exec.ask off`) and enable broad command/network execution (`tools.exec.security full`) on a headless server. For a messaging relay integration, this materially expands the agent's ability to execute commands and access the network beyond the minimally necessary setup, increasing the blast radius if the relay, agent, or any linked skill is abused.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation tells users to share invite URLs containing `rk_live_...` workspace keys without clearly warning that the key is a sensitive credential. Embedding secrets in URLs makes accidental disclosure more likely through chat logs, browser history, screenshots, shell history, and referrers.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The observer section instructs users to authenticate with the workspace key but does not clearly state that possession of that key grants read access to workspace conversations. This can lead operators to share the key more broadly than intended, exposing message contents to unauthorized viewers.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide identifies exact storage locations for sensitive tokens but does not pair that with file-protection and handling guidance. While documentation may need to mention token locations for troubleshooting, omitting safeguards normalizes unsafe secret handling and increases the chance of exposure during debugging or support.

Ssd 3

Medium
Confidence
94% confidence
Finding
Using the shared workspace key to authenticate a human observer view means anyone holding that key can potentially view all workspace conversations. For a communication skill, this directly affects confidentiality of messages, DMs, and operational discussions.

Ssd 3

Medium
Confidence
86% confidence
Finding
The recovery steps instruct users to extract gateway tokens from config into shell environment variables. This increases the chance of accidental disclosure via shell history, process inspection, debugging output, or copied terminal transcripts, especially in shared or hosted environments.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal