ClawHub

GRC Maturity

Security checks across malware telemetry and agentic risk

Overview

This is a coherent instruction-only GRC assessment API skill, with disclosed external API data submission but no installer, local access, or hidden execution.

Before using this skill with real GRC data, confirm the API operator, base URL, authentication method, TLS use, privacy policy, retention period, and who can access submitted assessment results. Avoid sending sensitive production compliance posture or identifiable user data until those details are clear.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill explicitly documents sending `userId`, `sessionId`, and timestamps to an external assessment API without any statement about minimization, retention, access controls, or lawful handling of potentially sensitive organizational assessment metadata. In a GRC context, these identifiers can link maturity assessments to specific users or sessions and may expose internal compliance posture or user activity if logged, shared, or retained improperly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The schema accepts sessionId and optional userId values, which are identifiers that can enable tracking, correlation, or unintended collection of personal data, yet the specification contains no privacy notice, minimization guidance, or indication of how these fields are protected. In a GRC assessment context, submitted data may be sensitive, so collecting identifiers without clear disclosure and necessity increases privacy and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal