ClawHub
Back to skill

Security audit

Sofagent Fde

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed enterprise AI deployment guide with expected business-data and automation risks, but no artifact evidence of deception, exfiltration, or malware.

Before installing, confirm who is allowed to deploy agents into business workflows, review the external sofagent install script, use least-privilege API credentials, redact secrets and personal or regulated data from generated documents, restrict knowledge-base access, and require full human review for finance, contracts, approvals, legal, security, or customer-impacting outputs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs the operator to create and continuously populate enterprise knowledge-base documents containing workflow maps, operational manuals, troubleshooting records, and AI execution artifacts, but it provides no safeguards for sensitive business, personnel, or regulated data. In an enterprise deployment setting, this can lead to oversharing of confidential information into broadly accessible knowledge platforms and long-term retention of sensitive content without classification, minimization, or access controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill directs setup of autonomous sub-agent sessions, AI copilots, and workflow checkpoints that can push outputs into enterprise processes, yet it does not prominently warn that automated outputs may affect downstream business operations before human validation. In this context, missing guardrails increases the risk of incorrect, unauthorized, or non-compliant actions propagating into production workflows, especially for sensitive nodes like finance, contracts, or approvals.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.