ClawHub
Back to skill

Security audit

Doppler

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a coherent secret-management helper, but it gives an agent access to plaintext secrets and destructive deletion commands without enough handling or confirmation guidance.

Install only if you want an agent to help operate a secrets/configuration manager. Before using it, require explicit confirmation for deletes, verify the target project/config/environment, avoid printing plaintext secrets unless strictly necessary, redact outputs, and do not save downloaded secret sets to disk unless you have a controlled storage and cleanup plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill enumerates destructive `delete` operations for secrets, configs, projects, and environments without any cautionary language, confirmation guidance, or scoping advice. In an agent skill, this increases the chance of accidental destructive actions against production resources because the commands are presented as routine usage.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill documents commands that retrieve plaintext secrets, download full secret sets, and inject secrets into subprocess environments without any privacy or handling safeguards. This is dangerous because agents may expose credentials in logs, terminal output, child processes, shell history, or files if they follow these examples naively.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.