ClawHub

lin

Security checks across malware telemetry and agentic risk

Overview

This skill saves URL parameters to MySQL as advertised, but it can retain sensitive URL data and change database schema with limited safety controls.

Review before installing. Use only with a dedicated low-privilege MySQL user and a non-sensitive database, avoid URLs containing secrets, and consider changing the script to use a fixed schema or JSON field with parameter allowlisting/redaction and clear retention/deletion controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description and usage text do not clearly warn that URL query parameters will be stored persistently in a MySQL database and that the table may be auto-created. Query strings often contain sensitive data such as tokens, emails, IDs, or internal state; storing them without prominent disclosure can lead to privacy violations, accidental retention of secrets, and unsafe user expectations. The context makes this more dangerous because the core function of the skill is persistent storage of potentially sensitive URL data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script persists all URL query parameters directly into a database without warning, filtering, or consent handling, even though query strings often contain sensitive data such as tokens, session IDs, email addresses, or internal identifiers. In this skill context, that makes the behavior meaningfully risky because the sole purpose is collection and retention of URL parameters for later analysis, increasing the chance of unnecessary sensitive-data storage.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal