ClawHub

Funding Program Manager

Security checks across malware telemetry and agentic risk

Overview

This is a real Karma funding-administration skill, but it gives agents durable API access and high-impact control over applications, payouts, and agreements without enough explicit safeguards.

Review before installing. Use a dedicated, least-privileged Karma API key; avoid storing it in shell startup files unless necessary; and manually confirm every approve, reject, reviewer change, agreement toggle, AI evaluation, and payout command before it runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to persist a newly obtained API key to plugin data and shell startup files, which expands scope from performing the immediate funding-program task to modifying long-lived local credential storage. Persisting secrets in broadly accessible local files or shell config increases the risk of credential theft, accidental disclosure, reuse in unintended contexts, and unauthorized future API actions.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger description ends with a broad catch-all phrase covering 'any funding program administration action,' which can cause overbroad activation and execution in contexts the user did not intend. For a skill capable of changing application status, reviewer assignments, payouts, and agreement state, overly permissive activation increases the chance of accidental high-impact operations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup flow tells the agent to automatically save API credentials to disk and shell config without first presenting a clear warning about persistence, local exposure, backup/sync leakage, or multi-user access risks. This creates avoidable credential exposure and may surprise users who expected temporary use only.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The application flow collects applicant email and detailed form answers, and may also send those answers to an AI evaluation endpoint, but it does not instruct the agent to warn users that their personal and proposal data will be transmitted to external services. This can lead to uninformed disclosure of sensitive personal, financial, or business information.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The payout disbursement instructions initiate a high-impact financial operation without requiring a clear confirmation step, review summary, or recipient/amount verification. In a funding administration skill, this can directly result in unintended or fraudulent transfers if the skill is mis-triggered, manipulated, or used with incorrect parameters.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The grant agreement toggle endpoint changes signed state but the skill does not require a warning or confirmation even though signing or unsigning is a consequential legal and workflow state change. Accidental or unauthorized state changes could affect enforceability, downstream processing, and audit integrity.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal