ClawHub

Web Architecture

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only web app architecture skill with disclosed development guidance, but its example analytics and replay settings should be tightened before production use.

Install this only if you want a structured workflow for substantial Next.js/Convex app development. Use it in a dedicated project, review generated code and sub-agent work before deployment, set your own limits for long-running agents, replace HustleStack-specific assumptions with your requirements, and tighten PostHog/Sentry replay with consent, masking, sensitive-route exclusions, retention limits, and privacy notices before production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The requirements mandate PostHog analytics with session replay and user identification, but they do not require any user-facing consent flow, privacy notice, or replay scoping. In a career platform that processes profile, onboarding, and possibly billing-adjacent interactions, session replay can capture sensitive personal data and create GDPR/compliance exposure if enabled without clear disclosure and consent controls.

Missing User Warnings

High
Confidence
98% confidence
Finding
The Sentry replay configuration sets maskAllText: false and blockAllMedia: false, which can allow full text content and media from user sessions to be captured in replay telemetry. On an application handling user profiles, onboarding data, and account settings, this risks exfiltrating PII or other sensitive content into third-party monitoring systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal