ClawHub

Psychology

Security checks across malware telemetry and agentic risk

Overview

The skill’s career-assessment function is coherent, but it appears to send detailed personal profile data and identifiers to an external API without enough privacy disclosure.

Review carefully before installing. Use it only if you are comfortable sending career or assessment profile details to the API provider, avoid unnecessary identifiers or highly sensitive information, and prefer explicit confirmation before submitting real user data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly solicits detailed personal assessment data including education, interests, work experience, goals, session identifiers, timestamps, and user IDs, but provides no privacy notice, retention policy, consent language, or data handling constraints. In a psychology/career context, this profiling data can be sensitive and deanonymizing, making silent collection and transfer to a third-party API a legitimate privacy and security concern.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The request schema collects potentially sensitive personal assessment data along with session and user identifiers, but the OpenAPI spec provides no warning, consent language, minimization guidance, or privacy/security notes. In an agent ecosystem, this increases the risk that personal profiling data will be transmitted to the service without users understanding what is being shared, enabling unnecessary exposure or retention of behavioral and career-related data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal