ClawHub

Skills

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill tells agents how to use SanctifAI for human-in-the-loop tasks, and its external sharing, invites, billing, and webhook behavior are disclosed and aligned with that purpose.

Install this only if you want an agent to send task details to SanctifAI and potentially to human reviewers. Avoid including secrets, credentials, regulated personal data, or confidential files unless you are authorized to share them; prefer guild or direct routing for trusted reviewers, verify invite email addresses and callback URLs, and protect SanctifAI API keys and generated agent keys as account credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly supports sending task content and uploaded attachments to human workers, but it does not warn that prompts, documents, or other data may leave the agent boundary and be exposed to third parties. In an agent skill context, this omission can lead users to submit sensitive code, customer data, credentials, or internal documents to external humans without informed consent or data minimization.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The documented invite flows can send emails to external recipients, but the skill does not prominently warn that invoking these operations will trigger outbound communications. That creates a risk of accidental contact with third parties, spam/phishing-like behavior, or disclosure of organizational intent and identifiers to unintended recipients.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The webhook/callback features forward task completion data, including human responses, to a configured external URL, but the documentation does not clearly warn that this exports off-platform data to another destination. If a callback URL is misconfigured, attacker-controlled, or insufficiently protected, sensitive task responses could be disclosed or exfiltrated.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal