ClawHub

Nyne Search

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Nyne people-search helper, but it needs Review because it encourages broad disclosure of enriched personal contact and demographic data without enough safeguards.

Install only if you have a legitimate, authorized use for Nyne people search and are prepared to handle personal data responsibly. Avoid showing or storing more contact and demographic data than needed, be careful with callback URLs, do not expose API secrets in terminal output, and delete local result files that contain enriched profiles.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to disclose all returned personal data, including sensitive and quasi-sensitive attributes such as emails, phone numbers, gender, and estimated age, without any minimization, consent check, or privacy warning. This creates a direct privacy and data-exposure risk because the agent is being told to surface enriched PII by default rather than only what is necessary for the user's legitimate task.

Missing User Warnings

High
Confidence
96% confidence
Finding
The documentation promotes contact enrichment for emails and phone numbers but provides no warning about the privacy, compliance, or misuse implications of retrieving and disclosing that data. In a people-search context, omission of such safeguards increases the likelihood that an agent will collect and expose personal contact data for purposes beyond what is necessary.

Ssd 3

High
Confidence
99% confidence
Finding
The natural-language instruction to 'show all returned data' operationalizes overexposure: it directs the agent to dump full profiles, contact details, demographics, and derived insights to the user. Because this is a people-search skill handling enriched profile data, the context makes indiscriminate disclosure especially dangerous and likely to violate least-privilege and privacy expectations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal