ClawHub

Soulprint

Security checks across malware telemetry and agentic risk

Overview

This identity-verification skill is purpose-aligned, but it needs review because it handles government ID, face/biometric data, blockchain identity state, and validator credentials without clear enough privacy and control boundaries.

Review before installing. Only use this if you are comfortable running external npm identity-verification tools and handling sensitive identity data. Treat cédula numbers, birth dates, document images, face data, biometric-derived proofs, SPT tokens, ADMIN_TOKEN, and private keys as sensitive; verify package provenance, pin versions, use low-value testnet keys, avoid logging identifiers, and confirm exactly what is stored on-chain or sent to validators or government-registry services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs users to perform OCR, face recognition, and government identity validation, but it does not clearly warn that these operations involve highly sensitive personal and biometric data. Even if processing is described as local, users and integrators are not told what data is collected, what may be transmitted to third parties such as Registraduría, or what handling safeguards are required, creating meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The `/verify/cedula` endpoint accepts a national ID number and date of birth, which are sensitive identity attributes, but the documentation does not warn that invoking this endpoint may transmit personal data to an external validation service. This omission can lead developers to integrate the API without consent, minimization, or secure transport considerations, increasing privacy, regulatory, and misuse exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal