ClawHub

Evoagentx

Security checks across malware telemetry and agentic risk

Overview

This is a plausible EvoAgentX integration, but its core commands depend on a PowerShell helper script that is not included for review.

Review before installing. Only run the PowerShell helper if you know exactly where evoagentx.ps1 came from and have inspected it. Use scoped or disposable API keys, avoid sensitive prompts until you understand EvoAgentX provider and memory behavior, and run installs in a contained environment when possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Low
Confidence
82% confidence
Finding
The skill description and usage are broad and do not define a narrow activation scope, which increases the chance the agent may invoke the skill in unintended contexts. Because this skill can install packages and run external AI workflows, ambiguous triggering raises the risk of unnecessary environment changes or execution from loosely related prompts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation presents the install action as a normal step without clearly warning that it modifies the host environment by installing software. In an agent setting, this can lead to silent or insufficiently understood package installation, creating supply-chain and system-integrity risks if invoked automatically or by mistake.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to set an API key directly in the environment but does not warn that the credential is sensitive or advise on secure handling. In agent or shared-shell contexts, this increases the risk of accidental disclosure through logs, transcripts, process inspection, shell history, or downstream tool access.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal