ClawHub

External Ai Integration

Security checks across malware telemetry and agentic risk

Overview

This skill openly helps an agent send selected prompts to external AI services, so its main risk is privacy and token handling rather than hidden or malicious behavior.

Install only if you are comfortable letting the assistant use your logged-in AI accounts or Hugging Face token to send chosen prompts to external providers. Do not use it with secrets, private customer data, regulated data, or proprietary code unless those providers are approved for that content, and avoid running the manual test script where token prefixes could appear in logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Tainted flow: 'headers' from os.getenv (line 164, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
payload.setdefault("options", {})["wait_for_model"] = True

        try:
            resp = requests.post(url, headers=headers, json=payload, timeout=timeout)
            resp.raise_for_status()
            return resp.json()
        except requests.exceptions.RequestException as e:
Confidence
92% confidence
Finding
resp = requests.post(url, headers=headers, json=payload, timeout=timeout)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill reads credentials from multiple local secret stores, including 1Password, environment variables, and a token file, which broadens access to sensitive material beyond the narrowest implementation needed. In an agent environment, expanding secret-discovery behavior increases the chance of unintended credential use or leakage through logs, errors, or downstream transmissions.

Description-Behavior Mismatch

Low
Confidence
82% confidence
Finding
The logger writes service names, error text, and arbitrary context into a persistent local file without sanitization or data minimization. If context contains prompts, credentials, personal data, or internal content, this creates a secondary local data-exposure channel that may outlive the session and be accessible to other processes or users.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill is designed to send prompts, code, analyses, and potentially conversation context to third-party AI services, but it does not require a clear user-facing notice or consent before data leaves the local assistant context. In practice this can leak proprietary code, internal documents, PII, or secrets to external providers, especially because the skill encourages using external models for code review and strategic analysis.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This call site transmits prompt contents to a third-party AI service without an explicit warning or confirmation mechanism. In an assistant skill, prompts can easily contain confidential user data or system context, so silent external transmission is a meaningful privacy and security risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The browser-automation path is designed to paste prompts into external AI websites, again without any explicit consent, warning, or filtering. Because browser-based flows may also involve authenticated sessions and page state, the surrounding context makes accidental disclosure of sensitive content especially risky.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The test code prints the first 10 characters of the Hugging Face access token to stdout, which exposes part of a secret in logs, terminals, or CI output. Partial secret disclosure can aid token identification, correlation across systems, and in some environments may combine with other leaked data to facilitate credential compromise.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal