Clawhub Skill Infra Watchdog

Security checks across malware telemetry and agentic risk

Overview

This infrastructure monitor appears aligned with its purpose, but it needs Review because its HTTPS checks are reported to disable certificate verification and its alerts can send infrastructure details to third-party chat services.

Install only if you are comfortable with the monitoring targets and alert channels you configure. Prefer disabling third-party alerts unless needed, avoid sensitive hostnames or secrets in monitor names and URLs, and review or patch the HTTPS check so certificate validation is enabled by default unless you explicitly need to monitor self-signed internal endpoints.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly advertises alerting through WhatsApp, Telegram, and Discord, but does not warn users that monitor names, hostnames, service status, outage timing, and other operational metadata may be sent to third-party platforms. In an infrastructure-monitoring context, that metadata can reveal internal services and incident patterns, creating a real privacy and operational-security risk even if no obvious secrets are transmitted.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal