ClawHub

SRE Roadmap

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward SRE career-roadmap API description, with disclosed submission of assessment details and identifiers but no hidden local execution or destructive behavior.

Before using it, understand that career assessment details and identifiers may be sent to the provider's API. Use minimal or pseudonymous identifiers where possible, and do not include credentials, confidential employer information, or personal details beyond what is needed for roadmap generation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documentation includes persistent identifiers such as sessionId, userId, and precise timestamps in request/response examples and parameter definitions without any statement about minimization, retention, redaction, or safe handling. Even though these are examples, they normalize collection and transmission of trackable user/session metadata and can lead downstream integrators to expose or over-collect personal or correlatable data.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The request schema explicitly collects sessionId and optional userId, and nested assessmentData also contains sessionId and timestamp, but the API description provides no privacy notice, purpose limitation, retention guidance, or handling constraints. This creates a real privacy and security risk because identifiers can enable tracking, correlation, and accidental overcollection or misuse, especially in a career-assessment context where user profiling data is being submitted.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal