ClawHub

Sendivent

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Sendivent API documentation skill, but it gives agents real notification/contact powers and includes unsafe secret-handling guidance.

Install only if you intend to let an agent work with Sendivent. Prefer sandbox/test keys first, confirm production recipient lists and contact deletions, use idempotency keys for sends, and do not copy the webhook example that logs the signing secret; store that secret securely instead.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrase "notification api" is overly generic and can cause the skill to activate for broad, unrelated user requests about notifications or APIs. Overbroad activation increases the chance that the agent routes sensitive or destructive actions to this skill without the user explicitly intending to use Sendivent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation exposes a hard-delete contact operation and notes permanence, but it does not instruct the agent to warn the user, confirm intent, or validate the target before deletion. In an agentic context, omission of safety guardrails around irreversible actions can lead to accidental data loss and privacy-impacting deletions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The API reference shows that webhook creation returns a `signing_secret` but does not warn that it is sensitive and should only be displayed once, stored securely, and never logged or re-shared. In an agent/tooling context, documentation like this can encourage unsafe handling of secrets, increasing the risk of webhook forgery if the secret is exposed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide logs `data.webhook.signing_secret` directly to the console after webhook creation. A webhook signing secret is a credential used to authenticate incoming webhook requests, so printing it increases the risk of exposure through logs, terminal history, CI output, or shared observability systems. In SDK documentation, this is especially risky because users may copy the example verbatim into production setup scripts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal