ClawHub

Secure Code Warrior

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Secure Code Warrior integration, but it gives broad authenticated control over an external service without clear safety limits.

Review before installing. Use a low-privilege Membrane and Secure Code Warrior account, verify OAuth or account scopes, prefer prebuilt read-only actions where possible, and require explicit confirmation before modifying users, roles, permissions, enrollments, settings, subscriptions, transactions, or other organization data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description is overly broad ('Manage data, records, and automate workflows'), which can cause an agent to invoke this integration for generic requests that are not clearly about Secure Code Warrior. Because the skill supports authenticated actions against an external service, over-triggering increases the chance of unintended data access or state-changing operations in the wrong context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The proxy-request section instructs the agent how to send arbitrary authenticated HTTP requests, including POST, PUT, PATCH, and DELETE, but does not warn that these can modify or delete remote data. In a skill that manages external SaaS resources, this omission makes unintended destructive operations more likely, especially if an agent improvises with direct API calls instead of safer prebuilt actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal