ClawHub

AI Agent Stack Builder

Security checks across malware telemetry and agentic risk

Overview

This is a documented API helper for AI stack recommendations with no install code, but users should avoid sending sensitive details in the request fields.

Use non-sensitive inputs unless you have verified the provider's privacy and compliance terms. Do not put secrets, patient data, customer records, or confidential business details in additionalNotes; use an opaque sessionId and omit userId when possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly encourages sending session identifiers, user identifiers, and free-form project notes that may contain sensitive business or regulated data (for example, HIPAA-related requirements) to an external recommendation service, but it does not disclose retention, sharing, or downstream transmission practices. This creates a real privacy and data-governance risk because users may submit sensitive metadata or compliance-related details without informed consent or guidance on minimizing sensitive content.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The request schema includes sessionId and optional userId fields, which can constitute identifying or correlatable data, yet the spec provides no disclosure, purpose limitation, or privacy guidance. In an agent ecosystem, this increases the risk of unnecessary collection and transmission of user-linked data, enabling tracking, over-retention, or unintended sharing across services.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal