ClawHub

Numerology Calculator

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed API-based numerology skill, but users should know it sends names and birth dates to ToolWeb.

Install only if you are comfortable giving the agent a ToolWeb API key and sending names and birth dates to ToolWeb for numerology processing. Avoid submitting real personal data for anyone who has not agreed to that external transmission, and remember successful API calls may consume free or paid quota.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill directs collection and transmission of full name, birth date, and additional tracking metadata such as sessionId, userId, and timestamp to a third-party API for a numerology task. That is a real privacy and data-minimization issue because the functionality appears simple enough that users may not expect their personal data to be sent off-platform, and the extra tracking fields broaden disclosure beyond what is strictly necessary.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to configure an external API key, which strongly implies user inputs may be sent to a third-party service, yet it does not disclose that personal data such as names and birth dates could leave the local agent environment. In this skill's context, that omission is meaningful because numerology requests commonly contain sensitive personal data, so users may unknowingly transmit PII to an external provider without informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs sending sensitive personal data to an external service without an explicit user-facing warning or consent step. In context, the data includes full identity and date of birth, which are sensitive personal attributes and can increase privacy risk, especially when combined with billing and tracking metadata.

External Transmission

Medium
Category
Data Exfiltration
Content
2. **Call the API**:

```bash
curl -s -X POST "https://portal.toolweb.in/apis/lifestyle/numerology" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $TOOLWEB_API_KEY" \
  -d '{
Confidence
93% confidence
Finding
curl -s -X POST "https://portal.toolweb.in/apis/lifestyle/numerology" \ -H "Content-Type: application/json" \ -H "X-API-Key: $TOOLWEB_API_KEY" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
2. User responds: "Pythagorean, in Hindi please"
3. Call API:
```bash
curl -s -X POST "https://portal.toolweb.in/apis/lifestyle/numerology" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $TOOLWEB_API_KEY" \
  -d '{
Confidence
91% confidence
Finding
curl -s -X POST "https://portal.toolweb.in/apis/lifestyle/numerology" \ -H "Content-Type: application/json" \ -H "X-API-Key: $TOOLWEB_API_KEY" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal