ClawHub

Http Api Test Runner

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent API testing helper, but it repeatedly asks users to provide live session cookies or authorization headers in the agent conversation.

Review this skill before installing. Use it only for APIs you own or are authorized to test, and avoid pasting live cookies, bearer tokens, or full Authorization headers into chat. Prefer local environment variables, short-lived test credentials, and redacted examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The default prompt is broad enough to activate the skill for generic API-testing requests without clear boundaries on allowed targets, credentials handling, or safety checks. In a skill that generates and runs HTTP API tests, this can lead to unintended invocation against arbitrary endpoints, including internal, authenticated, or sensitive systems if downstream tooling permits execution.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the user to copy and provide the full live Cookie header from a successful browser request. That encourages disclosure of active session material into the agent interaction channel, where it may be logged, retained, or mishandled, and could enable account or environment compromise if reused.

Ssd 3

Medium
Confidence
96% confidence
Finding
The debugging section again asks for the full Cookie or Authorization header from a successful request, reinforcing unsafe handling of live credentials during support interactions. This increases the chance that bearer tokens, session cookies, or other reusable auth secrets are pasted into logs or shared contexts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal