ClawHub

IR Readiness

Security checks across malware telemetry and agentic risk

Overview

This appears to be a purpose-built security readiness assessment skill, with expected data submission behavior but limited privacy detail.

Before installing, confirm what service receives the assessment results, whether userId/sessionId are required, and how long submitted security-readiness data is retained. Avoid submitting confidential incident-response details unless you trust the provider and have approval to share them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly shows submission of assessment data together with a user identifier and timestamp, but provides no privacy notice, data minimization guidance, retention details, or warning about sending potentially sensitive organizational security-posture information to a third-party service. In a security assessment context, this data can reveal maturity gaps, weaknesses, and internal identifiers that could be sensitive if mishandled or logged externally.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The schema explicitly collects sessionId, timestamp, nested assessmentData.sessionId, and optional userId, which can link assessment responses to identifiable user activity, yet the API spec provides no notice about sensitivity, minimization, retention, or protection expectations. In an incident-response readiness context, the submitted responses may reveal organizational security posture, making silent transmission of correlatable identifiers a meaningful privacy and confidentiality risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal