Back to skill

Security audit

Clawdhub.Bak 2026 01 28T18:01:16+10:30

Security checks across malware telemetry and agentic risk

Overview

This is a transparent ClawdHub CLI helper, but users should treat its install, update, and publish commands as actions that can change local skills or upload skill folders.

Install only if you want the agent to manage ClawdHub skills. Review the npm package and target registry, confirm before login, install, update, or publish actions, and avoid `--no-input --force` bulk updates unless you intentionally want broad local skill changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill exposes commands that install packages, update local skill directories, force overwrites, and publish local content to a remote registry without any safety guidance or confirmation advice. In an agent setting, this increases the chance of unintended filesystem modification, pulling untrusted code/content, or accidental data publication, especially with commands like `update --all --no-input --force` and `publish`.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.