ClawHub

Data Breach Response

Security checks across malware telemetry and agentic risk

Overview

This is a coherent breach-response planning API skill, but users should avoid sending unnecessary live incident or security-posture details to the external service.

Before using this skill, verify that you trust the API operator and understand how submitted company names, security tools, compliance obligations, session identifiers, and incident context are stored or shared. Prefer minimized or sanitized inputs when possible, especially during an active breach.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The request example includes realistic sensitive organizational context and user-identifying fields such as company name, security tooling, compliance obligations, session IDs, timestamps, and a user ID, but provides no warning about handling, minimization, redaction, or test-only data usage. In a security incident-response skill, users are especially likely to supply highly sensitive breach-related data, so normalizing this kind of example without privacy guidance increases the risk of unnecessary disclosure, logging, or downstream exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The API is designed to collect potentially sensitive organizational information, including company identity, industry, compliance posture, existing tools, session identifiers, and timestamps, yet the spec provides no disclosure, minimization guidance, or consent language around transmitting this data. In an agent-skill context, that omission increases the risk that users or calling agents send sensitive breach-related metadata to a third-party service without understanding privacy, retention, or exposure implications.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal