ClawHub

CyberSec Cert Advisor

Security checks across malware telemetry and agentic risk

Overview

This is a coherent external career-advice API skill, but it sends professional profile details and identifiers to the provider.

Before installing or using this skill, treat it as an external service. Share only career and certification details you are comfortable sending to the provider, avoid confidential employer or employee information, and omit or pseudonymize userId when possible unless the provider's privacy and retention practices are acceptable to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill requests detailed career-assessment data, timestamps, session identifiers, and optional user identifiers, and explicitly mentions tracking, audit, analytics, and historical comparison without any stated privacy notice, retention policy, consent mechanism, or data-handling limitations. Because the service is external and processes potentially sensitive professional profiling data, the lack of transparency and minimization creates a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The request schema accepts sessionId and optional userId, and nested assessmentData also contains session-linked identifiers, but the spec provides no privacy notice, minimization guidance, or handling constraints for this identifying data. In a career-advising context, these identifiers can enable cross-session linkage and profiling of users' professional goals and experience, increasing privacy and data-handling risk if the skill is integrated into broader agent workflows.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal