ClawHub

Test Clone

Security checks across malware telemetry and agentic risk

Overview

This is a coherent ClawHub CLI/registry workflow with explicit user-run commands, but users should review bulk update and publish commands before using them.

Install only if you intend to use ClawHub as a registry CLI. Avoid `--all --no-input --force` unless you are comfortable overwriting local installed skills, and review any folder before publishing because its skill/package contents will be uploaded to ClawHub.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example `clawhub update --all --no-input --force` performs a bulk, non-interactive forced update of installed skills, which can overwrite or change local agent capabilities without review. In a skill whose purpose is to fetch and update executable agent skills from a remote registry, presenting this command without a warning increases the risk of accidental mass changes, supply-chain exposure, or disruption from incompatible updates.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The login and publish instructions imply sending authentication data and potentially full skill contents or metadata to a remote registry, but they do not warn users about privacy, credential handling, or data transmission. Because this skill is specifically designed to publish and sync code-like skill folders with clawhub.com, omission of that warning can cause unintentional disclosure of proprietary, sensitive, or account-linked information.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal