ClawHub

AR VR Developer

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward third-party AR/VR career-roadmap API skill, with a privacy caveat around submitted assessment and tracking data.

Treat this as a third-party API: avoid submitting confidential employer/client details or unnecessary personal identifiers. Use a pseudonymous sessionId where possible and omit userId unless you trust the provider's data handling and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly describes capturing session tracking data and optional user identifiers, but provides no privacy notice, retention policy, minimization guidance, or handling constraints. Even though the data is not highly sensitive by itself, combining career assessment details, session IDs, timestamps, and user IDs enables profiling and linkability across requests, creating unnecessary privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal