ClawHub

Gamma

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent Gamma.app integration that sends user-selected content to Gamma's API, with privacy cautions but no evidence of hidden or destructive behavior.

Install only if you are comfortable sending the prompts and document text you provide to Gamma.app using your Gamma API key. Do not pass secrets, credentials, private keys, regulated data, or confidential business documents unless your use of Gamma is approved. Review the shell script before use and prefer explicit file paths/content you intended to upload rather than letting an agent choose files autonomously.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill invokes shell scripts but does not declare corresponding permissions, which weakens the platform's trust and review model. Undeclared code-execution capability can surprise users and reviewers, and if the wrapper script later expands behavior, it may enable unintended command execution, filesystem access, or network use without an explicit permission boundary.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill sends user-provided content to Gamma's external API, but the description does not warn users that their prompts and document content leave the local environment. This creates a privacy and data-handling risk because users may submit sensitive business, personal, or confidential material under the false assumption that processing is local.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends arbitrary user-provided content and an API-key-authenticated request to Gamma's external API without any explicit disclosure, consent prompt, or data-handling warning. In an agent skill context, users may assume content is processed locally or may unknowingly submit sensitive business, personal, or confidential material to a third party, creating a meaningful privacy and data-governance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal