Clawhub Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent wiki scaffolding skill, but users should review the external npm package and avoid publishing private notes as public pages.

Install only if you trust the create-opc-wiki npm package and repository. Use a dedicated vault folder, review generated agent rules and MCP files before opening the vault in agents, and do not tag secrets, personal notes, or confidential material as privacy: public before building or deploying the site.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The examples show how to build and deploy a public site from the wiki, but they do not clearly warn that any page tagged `privacy: public` will be exposed on the internet once `dist/` is deployed. In a tool designed to compile personal knowledge into a persistent wiki, users may accidentally publish sensitive notes, derived summaries, or proprietary material if the public/private boundary is not made explicit at the point of use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal