ClawHub

data-researcher

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only data research skill with broad but disclosed data-source language and no executable install or hidden behavior.

Install only if you want a broad data-research assistant. Before invoking it, specify which datasets, systems, APIs, logs, and scraping targets are approved, and require privacy, authorization, and compliance limits for any private or sensitive data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill says "When invoked" and immediately proceeds into broad data-research actions, but it never defines clear activation boundaries, allowed inputs, or limits on what sources may be queried. In an agent system, ambiguous invocation scope can cause the skill to activate in overly broad contexts and perform unintended data access or collection behaviors, especially given the skill's later references to APIs, databases, web scraping, and private sources.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly includes sensitive-capability language such as web scraping, database access, private sources, log analysis, and automated gathering, but provides no privacy, consent, authorization, legal-compliance, or data-minimization safeguards. In this context, the absence of warnings and restrictions makes misuse more dangerous because the skill is positioned as a general-purpose data collector and analyzer that could be directed toward unauthorized or excessive data acquisition.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal