ClawHub
Back to skill

Security audit

mar-docs-cog

Security checks across malware telemetry and agentic risk

Overview

This is a coherent document-generation skill that uses an external API, but users should treat it as a third-party service for sensitive documents.

Install only if you are comfortable sending document prompts and provided content to the SkillBoss/HeyBoss API service. Avoid secrets, regulated personal data, confidential client material, or legally sensitive facts unless you have reviewed the provider’s terms and have authorization. Treat contracts, privacy policies, financial documents, and compliance claims as drafts that need qualified human review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly encourages users to submit resumes, contracts, reports, and other documents that commonly contain personal, financial, and business-sensitive data to a third-party API, but it does not disclose that this information will leave the local environment or warn about privacy implications. This creates a real risk of unintended disclosure, regulatory issues, and unsafe handling of sensitive information by users who may assume the tool is local-only or privacy-neutral.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill markets generation of contracts, NDAs, terms of service, privacy policies, and other legal/finance documents without any warning that the output may be inaccurate, incomplete, or jurisdictionally inappropriate. Users could rely on unreviewed generated legal text in real transactions, creating legal, compliance, and financial exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal