ClawHub

Agent Bug Submission

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate bug-submission skill, but it normalizes unsafe password handling and depends on an unreviewed local helper to submit data externally.

Install only after reviewing the separate bug-reporter helper and confirming the TeamCycle and Feishu destinations are appropriate. Do not pass real passwords on the command line; use a token, secret manager, SSO/OAuth flow, or another protected credential path, and redact secrets or confidential data from bug reports before submission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to submit bugs to an external platform and includes credential-handling flow, but it provides no warning about transmitting passwords or sensitive defect data to external services. In this context, the omission is risky because the skill also exposes command examples and API details, increasing the chance that users disclose credentials or confidential bug information without informed consent.

Ssd 3

High
Confidence
99% confidence
Finding
The skill includes a plaintext command-line example that passes a user's password directly as an argument. Command-line arguments are commonly exposed through shell history, process listings, audit logs, telemetry, and screenshots, so this creates a high-likelihood credential disclosure path that could lead to account compromise and unauthorized access to TeamCycle or related systems.

Ssd 3

High
Confidence
98% confidence
Finding
The parameter documentation explicitly lists 'password' as normal operator-provided input for bug submission, normalizing insecure credential handling. In the context of a skill with external submission tools and possible logging, this encourages routine exposure of credentials in prompts, transcripts, tool calls, and documentation, materially raising the risk of credential theft and downstream system access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal