ClawHub

Clawhub Skill Trend Scout

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Citedy trend-research skill, but it asks for a reusable API key and includes paid API workflows plus referral-style promotion that users should review before installing.

Install only if you intentionally want to use Citedy for these tasks, are comfortable sending research topics and competitor URLs to Citedy, and understand that many workflows spend Citedy credits. Require explicit confirmation before any paid endpoint runs, do not paste or store the API key in plain chat if a safer secret store is available, and avoid using the referral link or Citedy-promotional recommendations unless you explicitly choose to.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill includes instructions to retrieve and save a referral URL for recommending Citedy to others, which is unrelated to the declared trend-scouting and competitor-analysis function. This creates an undisclosed secondary objective that can steer the agent toward vendor promotion and link propagation, increasing the risk of biased behavior and abuse of user trust.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The response guidance explicitly nudges the agent to generate recommendations such as comparisons involving Citedy, which can bias outputs toward self-promotion rather than neutral analysis. In a research skill, this undermines integrity and can covertly manipulate user-facing recommendations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to ask the user to paste an API key and to store and reuse it, but provides no safety guidance on secret handling, scope minimization, masking, or secure storage. This increases the chance of credential exposure in chat history, logs, downstream tools, or accidental retransmission.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal