ClawHub

VibeTheme

Security checks across malware telemetry and agentic risk

Overview

This is a narrow theme-generation skill; its main caveat is that the user’s vibe prompt is sent to OpenRouter for LLM generation.

Install only if you are comfortable with the vibe prompt being sent to OpenRouter. Avoid putting secrets, private client names, proprietary product details, or sensitive business context in the vibe text; the maintainer should document the external provider clearly in the user-facing skill file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The function sends raw user-provided vibe text to an external third-party API without any visible disclosure, consent flow, minimization, or safeguards. If users include sensitive project names, internal design notes, or other private context in the prompt, that data is transmitted off-platform and may be logged or retained by the external provider.

External Transmission

Medium
Category
Data Exfiltration
Content
// --- Main ---

async function generateTheme(vibe, format = 'css') {
  const response = await fetch('https://openrouter.ai/api/v1/chat/completions', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
Confidence
95% confidence
Finding
fetch('https://openrouter.ai/api/v1/chat/completions', { method: 'POST'

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal