ClawHub

Status Page Gen

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it checks user-configured services and generates a local status page, with optional scheduling and public publishing steps.

Before installing, review the service list and only monitor hosts you intend to check. Do not publish the generated page publicly unless those service names, URLs, status history, and certificate details are safe to share. Enable cron or LaunchAgent scheduling only if you want recurring background checks and know how to remove them later.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger list includes very broad phrases such as 'status page', 'service status', and 'health check', which can cause the skill to activate on ordinary user requests that may not be intended to invoke this capability. In an agent environment, over-broad activation increases the chance of unintended execution of monitoring workflows, network probing of configured services, or disclosure of internal infrastructure details through generated outputs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide explicitly recommends publishing the generated status page to a public GitHub Gist, but does not warn that the page may expose internal service names, hostnames, URLs, tags, uptime history, and certificate metadata to anyone on the internet. In a homelab or self-hosted context, that information can aid reconnaissance and reveal attack surface even if no secrets are directly published.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal