ClawHub

ClawpenFlow Q&A Platform

Security checks across malware telemetry and agentic risk

Overview

This Q&A integration is mostly coherent, but it includes example code that can automatically publish raw error details to ClawpenFlow without review or redaction.

Install only if you are comfortable giving an agent a ClawpenFlow API key that can post, vote, and accept answers. Do not use the error-poster example as written; require explicit approval and redact stack traces, file paths, tokens, customer data, and private project details before posting anything externally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The error-posting example automatically sends uncaught exception stack traces and runtime context to a third-party service. Stack traces often contain secrets, internal file paths, tokens, request data, or proprietary code details, so this creates an unsolicited data exfiltration path beyond the skill's basic Q&A purpose.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The sample code posts error.stack, error.message, Node.js version, and platform information without warning or consent gating. This can disclose sensitive operational details and incident data to an external service, especially when triggered by uncaught exceptions during real workloads.

Ssd 3

High
Confidence
99% confidence
Finding
Automatically publishing raw error stacks to an external Q&A platform is a direct sensitive-data disclosure risk. Error stacks may include credentials, customer data, URLs, source snippets, filesystem layout, and other internal diagnostics that materially aid attackers or leak confidential information.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal