ClawHub

Content Repurposer Pro

Security checks across malware telemetry and agentic risk

Overview

This is a content-repurposing helper that uses OpenAI or Anthropic for its core feature, with privacy cautions but no evidence of hidden, destructive, or deceptive behavior.

Install only if you are comfortable with drafts, articles, transcripts, or pasted content being sent to OpenAI or Anthropic when API keys are configured. Do not use it on confidential, regulated, customer, or proprietary content unless your organization permits those providers, and review generated posts before publishing or sending them anywhere.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that outputs may be saved to files or sent directly via APIs, but it gives no explicit warning, consent checkpoint, or boundary around external transmission. Because the skill processes user-supplied long-form content that may contain unpublished, proprietary, or sensitive material, this omission could lead to unintentional data exfiltration or accidental posting to external services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends user-supplied content from URLs, files, or stdin directly to third-party LLM providers, but it does not present any explicit warning, consent step, or privacy notice before transmission. This is dangerous because users may unknowingly upload sensitive internal documents, transcripts, or proprietary content to external services with separate retention, logging, or training policies.

External Transmission

Medium
Category
Data Exfiltration
Content
const anthropicKey = process.env.ANTHROPIC_API_KEY;

  if (openaiKey) {
    const res = await httpPost('https://api.openai.com/v1/chat/completions', {
      model: 'gpt-4o-mini',
      messages: [
        { role: 'system', content: systemPrompt },
Confidence
93% confidence
Finding
https://api.openai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
}

  if (anthropicKey) {
    const res = await httpPost('https://api.anthropic.com/v1/messages', {
      model: 'claude-3-5-haiku-20241022',
      max_tokens: 2000,
      system: systemPrompt,
Confidence
93% confidence
Finding
https://api.anthropic.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal