ClawHub

Outlit SDK

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Outlit analytics integration guide; it can add telemetry code to an app, but that behavior is disclosed and aligned with its purpose.

Install only if you intend to add Outlit analytics to the target app. Review dependency and source changes, confirm consent/privacy requirements before enabling auto-tracking or identity capture, provide only the intended public Outlit key, and avoid sending secrets or unnecessary personal data in event properties.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly recommends browser SDK defaults that automatically capture pageviews, form submissions, sessions, and auto-identify from form fields, but the surrounding guidance does not present a prominent user-facing warning that these actions collect and transmit user activity and identity data. In a code-assistant setting, this omission can cause developers to integrate privacy-impacting telemetry without fully appreciating consent, disclosure, and compliance implications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup and quick-connect guidance instructs users to install SDKs, add public keys, and verify network calls to Outlit, but it does not clearly warn that implementing the skill sends application and user activity data to an external service. That omission is security- and privacy-relevant because developers may unknowingly introduce outbound telemetry and data-sharing behavior into production systems.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal