ClawHub

Kevros Governance

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed third-party governance and audit integration, but users should be careful about what action data they send to it.

Before installing, decide which actions should be governed, avoid sending secrets, PII, regulated data, or full business context in action_payload unless you intend it to be processed and logged externally, protect the Kevros API key, verify the SDK packages and domains, and review the provider's privacy, retention, and audit-access terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs agents to submit action metadata to a third-party governance service before acting, but it provides no warning about what data may be disclosed, retained, or subject to external processing. In agent environments, action payloads can contain sensitive operational, financial, or customer data, so omission of privacy, minimization, and consent guidance creates a real data-exposure risk.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal