ClawHub

Manual AI

Security checks across malware telemetry and agentic risk

Overview

This is a Markdown guide for manually using third-party AI websites, with the main caution that users may send prompts or documents to those outside services.

Safe to install as a guide, but treat it as instructions for sending data to external AI services. Do not paste secrets, credentials, private customer data, proprietary code, regulated records, or confidential documents into Gemini, ChatGPT, Doubao, Qianwen, Google AI, or NotebookLM unless the service and account are approved for that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly tells users to upload files and documents to third-party AI services for analysis and generation, but it provides no warning about confidentiality, retention, model training, cross-border transfer, or regulatory/privacy implications. Because this skill is specifically designed as a fallback workflow for failed API use, operators may be tempted to submit sensitive internal content manually, increasing the chance of unintended data disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill recommends signing into multiple third-party AI platforms using personal accounts such as Google, OpenAI, ByteDance, Alibaba, Taobao, Alipay, Douyin, and Toutiao, but omits any warning about account linkage, auditability, data ownership, or organizational policy violations. In a workplace setting, this can drive users to process business data through personal accounts outside approved controls, creating privacy, compliance, and access-governance risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The NotebookLM guide explicitly instructs users to upload PDFs, web pages, and documents to a third-party AI service without any caution about sensitive, confidential, or regulated data. In a skill designed to route work through external AI platforms, this omission can lead users to disclose internal documents or personal data unintentionally, creating privacy, confidentiality, and compliance risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal