ClawHub

Malware Defense Roadmap

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it asks users to send sensitive security-planning details and identifiers to an external API without enough data-handling disclosure.

Install only if you are comfortable sharing summarized security-posture information with the listed external service. Avoid submitting secrets, exact internal hostnames, customer data, incident details, regulated data, or real user identifiers unless your organization has approved the provider and its data-handling terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documentation explicitly encourages submission of detailed organizational infrastructure, awareness posture, threat concerns, budget, and other potentially sensitive security-planning data, but provides no warning about data sensitivity, retention, sharing, or minimization. In a security-focused tool, this context makes the omission more dangerous because users may disclose internal defensive gaps and architecture details that would be valuable if mishandled or exposed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example request includes session identifiers, timestamps, and a user ID, which normalizes transmission of tracking and correlatable identifiers without any user-facing notice or consent language. Combined with the sensitive assessment content, these fields increase the risk of profiling, cross-request correlation, and exposure of organization-specific security assessments to an external service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The request schema transmits sessionId and optional userId alongside detailed organizational security assessment data, but the spec provides no user-facing notice about collection, retention, sharing, or privacy implications. In an agent setting, this can cause sensitive identifiers and risk-profile data to be sent to the service without meaningful user awareness or consent, increasing privacy and data-handling risk.

External Transmission

Medium
Category
Data Exfiltration
Content
## References

- Kong Route: https://api.mkkpro.com/security/malware-defense-roadmap
- API Docs: https://api.mkkpro.com:8105/docs
Confidence
84% confidence
Finding
https://api.mkkpro.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal