ClawHub

Nyne Deep Research

Security checks across malware telemetry and agentic risk

Overview

This skill is a third-party personal profiling tool that sends identifiers to an external service and encourages full disclosure of sensitive dossiers without adequate consent or misuse safeguards.

Install only if you have a legitimate, lawful, and authorized reason to run deep research on people and your organization permits sending those identifiers to Nyne. Treat outputs as sensitive personal data, avoid phone or multi-profile lookups unless necessary, do not store API secrets in broadly sourced shell profiles, and require explicit user confirmation before submitting any person's data or requesting full dossier sections.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (19)

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill is explicitly designed to submit personal identifiers such as email, phone number, social URLs, and names to a third-party profiling service that returns a highly sensitive intelligence dossier, including psychographics, social graph, warnings, and approach strategy. The absence of any consent, authorization, lawful-use, or privacy warning materially increases the risk of non-consensual surveillance, profiling, and misuse of sensitive personal data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to send identifiers and API credentials to an external service but does not prominently warn that the request transmits sensitive personal data and secrets off-platform. Users may reasonably miss that both third-party disclosure of PII and credential handling are occurring, creating privacy, compliance, and account-risk concerns.

Ssd 3

High
Confidence
99% confidence
Finding
The skill directs the agent to reveal the dossier in maximum depth and 'display every section in full,' including psychographic profiling, personal life, key relationships, warnings/landmines, and 'creepy-good insights.' This is dangerous because it defeats data minimization and encourages mass disclosure of highly sensitive profiling material that could facilitate manipulation, stalking, social engineering, or reputational harm.

External Transmission

Medium
Category
Data Exfiltration
Content
}

# Submit research request
REQUEST_ID=$(curl -s -X POST "https://api.nyne.ai/person/deep-research" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
90% confidence
Finding
curl -s -X POST "https://api.nyne.ai/person/deep-research" \ -H "Content-Type: application/json" \ -H "X-API-Key: $NYNE_API_KEY" \ -H "X-API-Secret: $NYNE_API_SECRET" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**By email:**
```bash
curl -s -X POST "https://api.nyne.ai/person/deep-research" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
89% confidence
Finding
curl -s -X POST "https://api.nyne.ai/person/deep-research" \ -H "Content-Type: application/json" \ -H "X-API-Key: $NYNE_API_KEY" \ -H "X-API-Secret: $NYNE_API_SECRET" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**By social media URL:**
```bash
curl -s -X POST "https://api.nyne.ai/person/deep-research" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
88% confidence
Finding
curl -s -X POST "https://api.nyne.ai/person/deep-research" \ -H "Content-Type: application/json" \ -H "X-API-Key: $NYNE_API_KEY" \ -H "X-API-Secret: $NYNE_API_SECRET" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**By multiple social URLs:**
```bash
curl -s -X POST "https://api.nyne.ai/person/deep-research" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
88% confidence
Finding
curl -s -X POST "https://api.nyne.ai/person/deep-research" \ -H "Content-Type: application/json" \ -H "X-API-Key: $NYNE_API_KEY" \ -H "X-API-Secret: $NYNE_API_SECRET" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**By name + company:**
```bash
curl -s -X POST "https://api.nyne.ai/person/deep-research" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
87% confidence
Finding
curl -s -X POST "https://api.nyne.ai/person/deep-research" \ -H "Content-Type: application/json" \ -H "X-API-Key: $NYNE_API_KEY" \ -H "X-API-Secret: $NYNE_API_SECRET" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**By phone:**
```bash
curl -s -X POST "https://api.nyne.ai/person/deep-research" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
93% confidence
Finding
curl -s -X POST "https://api.nyne.ai/person/deep-research" \ -H "Content-Type: application/json" \ -H "X-API-Key: $NYNE_API_KEY" \ -H "X-API-Secret: $NYNE_API_SECRET" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
}

# Submit research request
REQUEST_ID=$(curl -s -X POST "https://api.nyne.ai/person/deep-research" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
90% confidence
Finding
https://api.nyne.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
# Poll until complete (checks every 5s, times out after 10 min)
SECONDS_WAITED=0
while [ $SECONDS_WAITED -lt 600 ]; do
  curl -s "https://api.nyne.ai/person/deep-research?request_id=$REQUEST_ID" \
    -H "X-API-Key: $NYNE_API_KEY" \
    -H "X-API-Secret: $NYNE_API_SECRET" | nyne_parse > /tmp/nyne_response.json
  STATUS=$(jq -r '.data.status' /tmp/nyne_response.json)
Confidence
84% confidence
Finding
https://api.nyne.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**By email:**
```bash
curl -s -X POST "https://api.nyne.ai/person/deep-research" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
89% confidence
Finding
https://api.nyne.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**By social media URL:**
```bash
curl -s -X POST "https://api.nyne.ai/person/deep-research" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
88% confidence
Finding
https://api.nyne.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**By multiple social URLs:**
```bash
curl -s -X POST "https://api.nyne.ai/person/deep-research" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
88% confidence
Finding
https://api.nyne.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**By name + company:**
```bash
curl -s -X POST "https://api.nyne.ai/person/deep-research" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
87% confidence
Finding
https://api.nyne.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**By phone:**
```bash
curl -s -X POST "https://api.nyne.ai/person/deep-research" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
93% confidence
Finding
https://api.nyne.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
### Check status once
```bash
curl -s "https://api.nyne.ai/person/deep-research?request_id=$REQUEST_ID" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" | nyne_parse | jq '{status: .data.status, completed: .data.completed}'
```
Confidence
83% confidence
Finding
https://api.nyne.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
TIMEOUT=600  # 10 minutes

while [ $SECONDS_WAITED -lt $TIMEOUT ]; do
  curl -s "https://api.nyne.ai/person/deep-research?request_id=$REQUEST_ID" \
    -H "X-API-Key: $NYNE_API_KEY" \
    -H "X-API-Secret: $NYNE_API_SECRET" | nyne_parse > /tmp/nyne_response.json
  STATUS=$(jq -r '.data.status' /tmp/nyne_response.json)
Confidence
86% confidence
Finding
https://api.nyne.ai/

Session Persistence

Medium
Category
Rogue Agent
Content
export NYNE_API_SECRET="your-api-secret"
```

To persist across sessions, add the exports to your shell profile (`~/.zshrc`, `~/.bashrc`, etc.) or create a `.env` file and source it:
```bash
# Create .env file (keep out of version control)
echo 'export NYNE_API_KEY="your-api-key"' >> ~/.nyne_env
Confidence
90% confidence
Finding
create a `.env` file and source it: ```bash # Create .env file (keep out of version control) echo 'export NYNE_API_KEY="your-api-key"' >> ~/.nyne_env echo 'export NYNE_API_SECRET="your-api-secret"' >>

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal