ClawHub

EU AI Act Compliance for Autonomous Agents

Security checks across malware telemetry and agentic risk

Overview

The skill is a non-installing compliance guide, but it includes runnable production-capable examples that can change GreenHelix accounts, escrows, disputes, webhooks, and monitoring state with unclear sandbox versus production boundaries.

Review this carefully before installing or using it. Treat the snippets as production-capable code, use sandbox or least-privilege test credentials first, do not provide production signing keys casually, and require explicit human approval before any escrow, registration, webhook, dispute, daemon, or production monitoring action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The guide explicitly says it is educational and non-executing, yet the included code issues real HTTP POST requests and supports authenticated calls using environment-provided credentials. This mismatch can mislead operators into running examples against live services, causing unintended writes, registrations, payments, disputes, or audit-log mutations in GreenHelix environments.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation first says the sandbox requires no API key, then later claims all examples run against production, while the code supports bearer-authenticated real API use. These contradictory assurances increase the chance a user will trust the text and accidentally send authenticated requests to real infrastructure or misunderstand which environment they are targeting.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill discusses production API usage and writes reports/files without a strong safety boundary, which can prompt users or downstream agents to run examples that modify live systems or persist sensitive compliance data. In a guide framed as educational, the lack of a conspicuous warning materially increases the risk of accidental operational impact.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal