ClawHub

Renewable Energy

Security checks across malware telemetry and agentic risk

Overview

This is a coherent career-roadmap API skill with no executable install code, credentials, local file access, or hidden system authority.

Before installing, treat submitted assessment data as information sent to an external roadmap service. Use a pseudonymous session ID when possible, leave userId null unless needed, and avoid sharing sensitive personal details beyond what is necessary for career guidance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly collects and returns sessionId, userId, timestamps, and detailed assessment data, but provides no privacy notice, purpose limitation, retention guidance, or handling instructions for this identifying/profile data. That creates a real privacy and data-governance risk because users may disclose personal and career-profile information without informed consent, and downstream systems may store or correlate it across sessions.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The schema explicitly collects sessionId, timestamp, nested assessmentData.sessionId, and optional userId, but the API spec provides no notice about retention, purpose limitation, minimization, or handling of potentially linkable user data. In a career-roadmap skill, this context is not inherently high risk, but the combination of identifiers and behavioral assessment data can enable tracking or profiling if stored or reused without clear controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal