ClawHub

SPF DKIM Setup

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Cloudflare DNS helper, but it can make real DNS changes and should be used carefully.

Install only if you want an agent to manage DNS for a Cloudflare-hosted domain. Use a least-privilege Cloudflare token scoped to the intended zone, review the exact record name, type, old value, and new value before changes, and be especially cautious with delete, import, batch, MX, CNAME, SPF, DKIM, and DMARC changes because mistakes can break websites, email delivery, or domain verification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill explicitly promotes autonomous DNS modification and end-to-end domain setup, but it does not require confirmation, pre-change validation, backup of existing records, or warnings about outage risk. Because DNS changes can immediately disrupt web, mail, and verification flows, this omission makes accidental harmful changes more likely in agent-driven use.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documented delete operation provides a direct destructive API call with no caution about irreversibility, no recommendation to verify the record ID, and no guidance to check service dependencies first. In a skill intended for agents, this increases the chance of deleting critical DNS records and causing immediate service disruption.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal