ClawHub

Small Improvements

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Small Improvements integration, but it needs review because it can modify sensitive HR records and make broad authenticated API requests without clear safety guardrails.

Install only if you trust Membrane and need AI-assisted access to Small Improvements. Use the least-privileged account available, review connection permissions, require explicit approval before creating, updating, canceling, sending, or deleting records, and prefer listed Membrane actions over raw proxy requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill advertises destructive and data-modifying operations such as deleting objectives and sending or canceling feedback requests without any warning, confirmation requirement, or guidance to verify user intent. In an HR and performance-review context, accidental or ambiguous execution could alter employee records, disrupt workflows, or create unauthorized changes to sensitive personnel data.

Missing User Warnings

High
Confidence
95% confidence
Finding
The proxy request feature enables arbitrary API calls through an authenticated connection, but the documentation does not warn that this can access or transmit highly sensitive HR, feedback, and performance-review data. Because it bypasses the safer, constrained action layer, misuse could lead to overbroad data access, unintended writes, or exfiltration of confidential employee information.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal