ClawHub

Privacy Solution Scorecard

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it says, but it sends potentially sensitive business and compliance details to a third-party ToolWeb API without a clear user confirmation step.

Review before installing. Use this only if your organization is comfortable sending the listed assessment details to ToolWeb, and ask the publisher to add a clear pre-submit confirmation showing exactly what will be sent, how ToolWeb handles retention/access, and how to omit or redact sensitive fields.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to transmit organization details, evaluator identity, budget, regulatory priorities, and vendor assessments to a third-party API, but it does not require an explicit user-facing notice or consent step before exfiltrating that data. In a procurement/privacy context, this information can be commercially sensitive, and the skill’s insistence on always using the external API increases the risk of unintended disclosure.

External Transmission

Medium
Category
Data Exfiltration
Content
2. **Call the API**:

```bash
curl -s -X POST "https://portal.toolweb.in/apis/compliance/privacy-scorecard" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $TOOLWEB_API_KEY" \
  -d '{
Confidence
98% confidence
Finding
curl -s -X POST "https://portal.toolweb.in/apis/compliance/privacy-scorecard" \ -H "Content-Type: application/json" \ -H "X-API-Key: $TOOLWEB_API_KEY" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal