ClawHub

ITSM Security Maturity

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward external ITSM maturity assessment API skill, with the main caution that submitted scores and identifiers may reveal internal security posture.

Before installing, confirm that your organization is comfortable sending ITSM maturity scores, session identifiers, timestamps, and any optional user identifier to the publisher's external service. Avoid including secrets, regulated data, or detailed internal weakness descriptions unless you have reviewed the provider's privacy, retention, and compliance terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents sending assessment payloads and optional user identifiers to a third-party API, but provides no privacy notice, data classification guidance, retention policy, or warning against including sensitive organizational details. Because the content concerns security maturity and ITSM process state, users may submit sensitive operational or compliance data to an external service without informed consent or controls.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The API schema accepts sessionId and optional userId values, which are user/session-identifying fields, yet the specification provides no indication of privacy notice, consent flow, minimization, or handling restrictions. In an agent context, this can lead to silent transmission of identifying metadata to the backend, increasing privacy and tracking risk even if the data is not highly sensitive on its own.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal