ClawHub

Hepha

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only coding autopilot that openly creates project-local progress files, runs checks, uses web/browser validation when needed, and makes local commits after explicit activation.

Install only if you want an explicitly invoked coding autopilot. Run it on a dedicated branch or disposable worktree, review `.autopilot` files and generated commits before pushing, and give clear limits for network use, authenticated browser sessions, files in scope, and when the agent should stop.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly directs the agent to create and maintain files under `.autopilot/` and later make commits, but it does not require an explicit user-facing notice or fresh confirmation before modifying the repository. In an autonomous looping context, this increases the risk of unreviewed repository changes, accidental persistence of sensitive data in progress artifacts, and unintended commit history changes beyond what a user may reasonably expect.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill description advertises web/GitHub research and browser-based validation, but it does not present a clear privacy or network-use warning to the user. In practice, this can lead to unannounced outbound requests, exposure of repository context or URLs to external services, and accidental interaction with authenticated browser sessions or internal applications during validation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal