ClawHub

summarize

Security checks across malware telemetry and agentic risk

Overview

This summarization skill appears purpose-aligned, but users should understand that submitted files, URLs, and fetched content may be processed by remote services.

Install only if you are comfortable with submitted documents, URLs, page contents, and transcript data being handled by SkillBoss and possibly downstream providers. Avoid sensitive or regulated content unless you have reviewed the provider’s data handling and keep remote fallbacks disabled when privacy matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly states that a unified API key routes requests through a remote SkillBoss endpoint and that the service handles multiple providers, but it does not clearly warn users that URLs, local file contents, or derived extracted content may be transmitted off-host. For a summarization skill that accepts local files and web content, this creates a real privacy and data-handling risk because users may unknowingly send sensitive documents or URLs to a third-party service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The optional `--firecrawl` and `--youtube auto` features are described as fallbacks via the remote API hub, but there is no explicit warning that enabling them may cause external fetching and transmission of web pages, blocked-site content, or YouTube transcript data through a third-party service. This omission is risky because users may assume these are purely local convenience features when they actually expand the scope of remote data access and sharing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal