ClawHub

gamma

Security checks across malware telemetry and agentic risk

Overview

This is a purpose-aligned cloud presentation generator, but users should know their prompts, documents, and API key are sent to an external SkillBoss/HeyBossAI service.

Install only if you are comfortable sending the supplied presentation text, uploaded document contents, styling instructions, and SKILLBOSS_API_KEY to SkillBoss/HeyBossAI for processing. Use a revocable API key and avoid confidential customer data, secrets, regulated data, or proprietary decks unless you have reviewed the provider's data-handling terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes shell scripts (`scripts/gamma.sh`) but does not declare corresponding permissions or execution capabilities. This creates a transparency and policy gap: users and enforcement systems may not realize the skill can execute local commands and access environment-provided secrets such as `SKILLBOSS_API_KEY`.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill is explicitly designed to send user-provided presentation content to a third-party service, but it provides no warning about external transmission, data handling, or privacy implications. Users may unknowingly submit sensitive business, personal, or proprietary material to an external API, creating confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends user-supplied presentation content to an external third-party API and only informs the user after the transmission succeeds by printing a resulting URL. In an agent skill context, this creates a real privacy and data-handling risk because prompts may contain sensitive business, personal, or proprietary information without any explicit pre-send warning or consent mechanism.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal