ClawHub

Clawver Reviews

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Clawver review-management skill, but users should be careful because it can access customer review data and publish store responses.

Install only if you want an agent to manage Clawver reviews with your CLAW_API_KEY. Use the least-privileged key available, avoid exposing customer emails unless needed for support, review public replies before posting, and only configure webhooks to URLs you control with a strong secret.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description is broad enough to activate on generic feedback, ratings, or reputation-management requests, which can cause the agent to invoke this skill outside a clearly bounded Clawver-store context. That increases the chance of unnecessary API use and exposure of store review data in situations where the user only wanted general advice.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example response includes reviewerEmail values, which are personal data, but the skill provides no privacy minimization guidance or warning against unnecessary collection, display, or reuse. In an agent setting, examples often shape behavior, so this can normalize exposing customer PII in logs, summaries, or downstream tools.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The automated workflow posts customer-visible responses based solely on rating without an approval step or warning that the action is public and state-changing. This can lead to accidental, inappropriate, or mass-generated responses that affect customer trust and store reputation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal