ClawHub

Yufluent Clawhub Publish Yufluentcn Comp Track

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Yufluent cloud client for competitor-listing analysis and does not show hidden persistence, destructive behavior, or unrelated data access.

Install only if you are comfortable sending the pasted competitor text, your optional listing text, and your Yufluent API key to the configured Yufluent endpoint. Do not include confidential launch plans, personal data, or trade secrets unless Yufluent’s processing and retention terms are acceptable, and avoid setting TOKENAPI_BASE_URL to any untrusted host.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Tainted flow: 'url' from os.getenv (line 271, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}
    if body is not None:
        kwargs["json"] = body
    return requests.post(url, **kwargs)


def _raise_for_status(resp: requests.Response) -> None:
Confidence
95% confidence
Finding
return requests.post(url, **kwargs)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill description and usage flow do not prominently warn that pasted competitor text, product listings, and optional local file contents are transmitted to a cloud service for processing. This can lead users to disclose proprietary or sensitive commercial content without informed consent, especially because the skill is framed as a simple analysis workflow.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This script sends user-supplied competitor and possibly first-party listing content to a remote cloud service via run_skill, but this file does not provide an explicit warning, confirmation, or data-sensitivity notice before transmission. In a competitor-analysis skill, those inputs may include confidential business copy, launch plans, or proprietary marketing text, so silent exfiltration to a third-party service creates a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
The skill sends user-provided payload fields and the skill identifier to remote cloud endpoints, including the fallback /agent/turn path that serializes all slots into a natural-language message, without any disclosure in this code. In a competitor-analysis skill, users may paste proprietary listing text or business data, so silent cloud transmission increases confidentiality and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal