ClawHub

Ubuntu Hardening

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a normal external API tool for generating Ubuntu hardening configuration drafts, with review needed before using its output on real systems.

Before installing, understand that requests go to an external API and may include tracking identifiers. Review generated SSH, firewall, service, audit, and kernel changes carefully, test them outside production, keep rollback or console access, and do not apply the output blindly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill markets generation of system hardening configs but does not warn that applying them can disable services, lock out administrators, or otherwise reduce availability if used without review and testing. In this context, omission of operational safety warnings is a real security-quality issue because users may deploy generated SSH, firewall, or kernel settings directly onto production Ubuntu systems.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The example request includes sessionId, userId, and timestamp fields, but the documentation provides no statement about whether these identifiers are required for logging, retained, shared, or protected. This creates a privacy and governance concern because consumers may transmit potentially identifying metadata to a third-party API without understanding data-handling expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The request schema transmits sessionId, optional userId, and timestamp alongside the hardening request without any privacy notice, minimization rationale, or documented handling constraints. In an agent skill context, this can lead to unnecessary collection and propagation of identifiers to an external service, increasing privacy, tracking, and correlation risk beyond what is needed to generate configuration files.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal