ClawHub

Clawmart Skills Empire

Security checks across malware telemetry and agentic risk

Overview

This is a mostly documentation-based template kit with no hidden execution behavior, but some templates need privacy and secret-handling safeguards before real deployment.

Install only as a starter/template and marketing kit. Before building or selling anything from it, inspect any added implementation code, keep API keys out of shared config files, and add explicit safeguards for scraping, outreach, CRM exports, trading alerts, and customer-data workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README explicitly markets a lead-generation skill with scraping, email verification, and CRM integration, but provides no guidance on lawful data collection, consent, storage, or acceptable-use boundaries. In this context, the omission increases the likelihood that users will deploy the skill in ways that violate privacy expectations, anti-spam rules, platform terms, or data-protection obligations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script explicitly tells users to put API keys into a local config.json file but provides no guidance on secure storage, exclusion from version control, or secret management. In a marketplace/deployment context, this can lead users to hardcode credentials into distributable project files, increasing the risk of accidental exposure through repositories, bundles, logs, or support sharing.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly supports exporting collected lead data to CSV and CRM systems but provides no warning or guidance about what data is written, where it is stored, or the privacy/compliance implications of persisting scraped contact information. In a lead-generation context, this increases the risk of unauthorized retention, accidental disclosure, or improper handling of personal/business contact data, especially when users may assume export is harmless.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal