ClawHub

Sustainability

Security checks across malware telemetry and agentic risk

Overview

This is a coherent career-roadmap API skill, with the main caution that it sends career profile details to an external service.

Install only if you are comfortable sending career assessment information to the referenced API provider. Keep inputs limited to what is needed for the roadmap, avoid secrets or highly sensitive personal data, and confirm the destination endpoint in your runtime before using it with real user profiles.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly collects and transmits career assessment data, session identifiers, timestamps, and optional user identifiers, yet provides no privacy notice, retention policy, minimization guidance, or handling restrictions. Even if the data is not highly sensitive on its own, combining professional history, goals, session tracking, and identifiers can create a meaningful user profile and raises privacy, compliance, and misuse risks.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The roadmap-generation endpoint accepts broad, loosely defined user-controlled objects such as experience, skills, and goals, while the API description does not constrain when or how the action should be invoked. In an agent setting, this can cause overbroad triggering or misuse with arbitrary sensitive profile data, leading to unnecessary data collection, prompt/context injection into downstream generation logic, or generation on insufficiently validated input.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal