ClawHub

AI Governance, Security & Ethics Readiness Assessment

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward external assessment API, but users should avoid submitting sensitive internal security details unless they trust the provider.

Install only if you are comfortable sending selected AI governance, security, and compliance readiness details to ToolWeb's service. Use pseudonymous session IDs, omit userId unless needed, and do not include secrets, credentials, customer data, detailed vulnerabilities, or confidential control gaps without confirming the provider's privacy and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents collection and submission of assessment data together with sessionId, timestamp, and optional userId, but provides no privacy notice, data minimization guidance, retention policy, or handling constraints. In a security/compliance-themed skill, this omission is especially problematic because users may reasonably submit sensitive organizational security posture data under an expectation of safe handling.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The schema explicitly collects sessionId and optionally userId, but the specification provides no disclosure, minimization guidance, or privacy handling constraints for these identifiers. In an assessment skill focused on governance, security, and ethics, collecting linkable identifiers without clear necessity or notice increases privacy risk and can enable unnecessary tracking, correlation, or retention of user activity.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal