ClawHub

Nyne Enrichment

Security checks across malware telemetry and agentic risk

Overview

This skill appears to work as advertised, but it enables broad third-party people enrichment and disclosure of sensitive personal data without clear privacy safeguards.

Install only if you have a legitimate, authorized reason to enrich people through Nyne. Treat inputs and results as sensitive personal data, avoid newsfeed or AI-enhanced search unless truly needed, do not print or log secrets, and delete or securely store any /tmp/nyne_enrich.json result files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (19)

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to present all available enrichment data, including personal emails, phone numbers, social profiles, work history, education, and posts, without any privacy screening, minimization, consent check, or sensitivity warning. In the context of a person-enrichment tool, this materially increases the risk of doxxing, privacy violations, and inappropriate disclosure of third-party personal data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup guidance includes printing portions of the API key and secret to the terminal, normalizing secret exposure during verification and providing no warning that these values are sensitive. Even partial credential disclosure can leak into logs, transcripts, screenshots, shell history, or shared terminal sessions and weakens operational secret hygiene.

External Transmission

Medium
Category
Data Exfiltration
Content
}

# Submit enrichment request
curl -s -X POST "https://api.nyne.ai/person/enrichment" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
84% confidence
Finding
curl -s -X POST "https://api.nyne.ai/person/enrichment" \ -H "Content-Type: application/json" \ -H "X-API-Key: $NYNE_API_KEY" \ -H "X-API-Secret: $NYNE_API_SECRET" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**By email:**
```bash
curl -s -X POST "https://api.nyne.ai/person/enrichment" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
82% confidence
Finding
curl -s -X POST "https://api.nyne.ai/person/enrichment" \ -H "Content-Type: application/json" \ -H "X-API-Key: $NYNE_API_KEY" \ -H "X-API-Secret: $NYNE_API_SECRET" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**By LinkedIn URL:**
```bash
curl -s -X POST "https://api.nyne.ai/person/enrichment" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
80% confidence
Finding
curl -s -X POST "https://api.nyne.ai/person/enrichment" \ -H "Content-Type: application/json" \ -H "X-API-Key: $NYNE_API_KEY" \ -H "X-API-Secret: $NYNE_API_SECRET" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**By name + company:**
```bash
curl -s -X POST "https://api.nyne.ai/person/enrichment" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
83% confidence
Finding
curl -s -X POST "https://api.nyne.ai/person/enrichment" \ -H "Content-Type: application/json" \ -H "X-API-Key: $NYNE_API_KEY" \ -H "X-API-Secret: $NYNE_API_SECRET" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**With newsfeed:**
```bash
curl -s -X POST "https://api.nyne.ai/person/enrichment" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
90% confidence
Finding
curl -s -X POST "https://api.nyne.ai/person/enrichment" \ -H "Content-Type: application/json" \ -H "X-API-Key: $NYNE_API_KEY" \ -H "X-API-Secret: $NYNE_API_SECRET" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**Lite mode (3 credits):**
```bash
curl -s -X POST "https://api.nyne.ai/person/enrichment" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
78% confidence
Finding
curl -s -X POST "https://api.nyne.ai/person/enrichment" \ -H "Content-Type: application/json" \ -H "X-API-Key: $NYNE_API_KEY" \ -H "X-API-Secret: $NYNE_API_SECRET" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**With AI-enhanced search:**
```bash
curl -s -X POST "https://api.nyne.ai/person/enrichment" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
88% confidence
Finding
curl -s -X POST "https://api.nyne.ai/person/enrichment" \ -H "Content-Type: application/json" \ -H "X-API-Key: $NYNE_API_KEY" \ -H "X-API-Secret: $NYNE_API_SECRET" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
}

# Submit enrichment request
curl -s -X POST "https://api.nyne.ai/person/enrichment" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
84% confidence
Finding
https://api.nyne.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
# Poll until complete (checks every 3s, times out after 6 min)
SECONDS_WAITED=0
while [ $SECONDS_WAITED -lt 360 ]; do
  curl -s "https://api.nyne.ai/person/enrichment?request_id=$REQUEST_ID" \
    -H "X-API-Key: $NYNE_API_KEY" \
    -H "X-API-Secret: $NYNE_API_SECRET" | nyne_parse > /tmp/nyne_enrich.json
  STATUS=$(jq -r '.data.status' /tmp/nyne_enrich.json)
Confidence
80% confidence
Finding
https://api.nyne.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**By email:**
```bash
curl -s -X POST "https://api.nyne.ai/person/enrichment" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
82% confidence
Finding
https://api.nyne.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**By LinkedIn URL:**
```bash
curl -s -X POST "https://api.nyne.ai/person/enrichment" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
80% confidence
Finding
https://api.nyne.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**By name + company:**
```bash
curl -s -X POST "https://api.nyne.ai/person/enrichment" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
83% confidence
Finding
https://api.nyne.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**With newsfeed:**
```bash
curl -s -X POST "https://api.nyne.ai/person/enrichment" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
90% confidence
Finding
https://api.nyne.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**Lite mode (3 credits):**
```bash
curl -s -X POST "https://api.nyne.ai/person/enrichment" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
78% confidence
Finding
https://api.nyne.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**With AI-enhanced search:**
```bash
curl -s -X POST "https://api.nyne.ai/person/enrichment" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" \
Confidence
88% confidence
Finding
https://api.nyne.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
### Check status once
```bash
curl -s "https://api.nyne.ai/person/enrichment?request_id=$REQUEST_ID" \
  -H "X-API-Key: $NYNE_API_KEY" \
  -H "X-API-Secret: $NYNE_API_SECRET" | nyne_parse > /tmp/nyne_enrich.json
Confidence
79% confidence
Finding
https://api.nyne.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
TIMEOUT=360  # 6 minutes

while [ $SECONDS_WAITED -lt $TIMEOUT ]; do
  curl -s "https://api.nyne.ai/person/enrichment?request_id=$REQUEST_ID" \
    -H "X-API-Key: $NYNE_API_KEY" \
    -H "X-API-Secret: $NYNE_API_SECRET" | nyne_parse > /tmp/nyne_enrich.json
  STATUS=$(jq -r '.data.status' /tmp/nyne_enrich.json)
Confidence
80% confidence
Finding
https://api.nyne.ai/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal