ClawHub

Zero Trust For AI Maturity Assessment

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Zero Trust assessment API wrapper with no executable code, but users should avoid sending sensitive internal security details without approval.

Install only if you are comfortable sending Zero Trust maturity answers to ToolWeb's API. Use pseudonymous session/user identifiers where possible, avoid real internal secrets or sensitive architecture details unless approved, and confirm the network endpoint and data-handling terms before using it with enterprise data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs users to submit session identifiers, timestamps, and an optional userId to a third-party assessment API, but it provides no privacy notice, data minimization guidance, retention policy, or warning about external handling of submitted data. Even if the data is not highly sensitive by itself, these identifiers can enable correlation, tracking, and unintended disclosure when sent to an external service, especially in enterprise security assessment contexts.

Vague Triggers

Low
Confidence
89% confidence
Finding
The POST operation description is generic and does not define when the skill should or should not be invoked, what user intent it serves, or any boundaries on acceptable inputs. In systems that derive skill activation behavior from OpenAPI metadata, this can cause over-broad triggering and unintended transmission of user-supplied assessment data to the endpoint, increasing the chance of privacy leakage or unnecessary external calls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal