ClawHub

AR XR Builder

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill is coherent for building Kivicube AR/XR pages, with expected camera, photo, sensor, and third-party script considerations.

Safe to install as a documentation helper. Before using generated code in production, confirm you trust Kivicube's hosted script, request only the browser permissions your AR/XR page actually needs, keep the page on HTTPS, disclose photo capture clearly to end users, and treat captured base64 images or private media assets as sensitive data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file documents `takePhoto()` and states it returns a base64 image of camera-composited AR output, but it does not instruct the caller to obtain clear user consent, disclose capture behavior, or handle the image as sensitive data. In an AR/XR context, captured images may include the user's surroundings or people nearby, so omission of privacy guidance can enable stealthy or insufficiently disclosed image collection.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal