ClawHub

I'm Pretty Amazing

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed API helper for an accomplishment-tracking service, with sensitive login and token handling that users should treat carefully.

Install only if you are comfortable giving the agent access to your I'm Pretty Amazing account. Decline saved session tokens on shared or synced machines, clear them when done, and review the exact content, visibility, profile changes, deletes, follows, blocks, likes, comments, or feedback before approving any mutation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description says it may be used for proactively suggesting a win after the user accomplishes something notable, but it does not define strong boundaries for when proactive invocation is appropriate. That can cause the agent to trigger on broad conversational context and steer users into an external service flow without a clear request, increasing the chance of unwanted data transmission or unintended account actions.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The proactive-usage section instructs the agent to suggest posting whenever the user accomplishes something notable, with examples broad enough to match many ordinary conversations. In a skill that authenticates to a third-party service and can perform mutations, ambiguous self-triggering is risky because it can move users toward external posting flows they did not clearly request.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly tells clients they may persist `access_token` and optionally `refresh_token` cookie values for reuse, which encourages converting cookie-based session credentials into application-managed secrets. That increases the chance of insecure storage, leakage through logs or local files, and misuse of refresh tokens outside intended browser cookie protections.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal