ClawHub

Senado Federal

Security checks across malware telemetry and agentic risk

Overview

The available evidence points to a public-data API skill with disclosed network access and dependency hygiene issues, but no artifact-backed sign of hidden collection, credential theft, destructive actions, or deception.

Install only if you are comfortable with the skill querying public administrative transparency data that may include names, compensation, pension, office, or contact details. Avoid bulk profiling, doxxing, harassment, or unsolicited outreach, and prefer a version with pinned dependencies or a lockfile.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly exposes administrative transparency endpoints containing personal and compensation-related data such as names, remuneration, offices, pension information, and contact details, but provides no guidance on minimization, lawful use, or user-facing warnings. Even if the data is public, bundling and operationalizing access increases the risk of privacy-invasive lookups, profiling, and bulk extraction.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pytest-cov>=4.1.0
pytest-mock>=3.12.0
httpx-mock>=0.15.0
black>=24.0.0
mypy>=1.8.0
ruff>=0.2.0
Confidence
94% confidence
Finding
black>=24.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.27.0
Confidence
95% confidence
Finding
httpx>=0.27.0

Known Vulnerable Dependency: pytest — 1 advisory(ies): CVE-2025-71176 (pytest has vulnerable tmpdir handling)

Low
Category
Supply Chain
Confidence
73% confidence
Finding
pytest

Known Vulnerable Dependency: black — 3 advisory(ies): CVE-2026-32274 (Black: Arbitrary file writes from unsanitized user input in cache file name); CVE-2024-21503 (Black vulnerable to Regular Expression Denial of Service (ReDoS)); CVE-2024-21503 (Versions of the package black before 24.3.0 are vulnerable to Regular Expression)

High
Category
Supply Chain
Confidence
95% confidence
Finding
black

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal