ClawHub

System Hardening Checklist

Security checks across malware telemetry and agentic risk

Overview

This skill is a small API connector for security hardening assessments; it appears purpose-aligned but users should be careful about sending real security posture details to the provider.

Install only if you are comfortable sending hardening checklist contents and identifiers to the listed third-party API. Use pseudonymous session/user IDs where possible, avoid production-identifying details in checklist data, and verify the provider's privacy and retention terms before submitting real organizational security information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly documents collection of session IDs, optional user IDs, timestamps, and detailed hardening assessment data, which can reveal sensitive organizational security posture and create linkable audit trails. Even though this is documentation rather than executable code, omitting privacy, retention, access-control, and sensitivity warnings can lead users to transmit regulated or high-value security metadata to a third-party service without informed consent or safeguards.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The schema explicitly collects sessionId and optional userId, but the spec provides no notice about why these identifiers are needed, how they are protected, or whether they are logged, retained, or shared. In an agent skill context, silent transmission of identifiers can create privacy risk, enable cross-session correlation, and expose sensitive metadata if downstream systems are compromised or over-collect data.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal