Cloudflare Worker
Security checks across malware telemetry and agentic risk
Overview
The artifacts describe a ClawHub registry/CLI project with expected authenticated install, publish, delete, and telemetry features, and I found no hidden or purpose-mismatched behavior.
Before installing or using it, understand that ClawHub can store an API token locally, upload skill/package files when you publish or sync, modify registry state when you run delete/restore/moderation commands, and report minimal install telemetry during sync unless disabled.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
64/64 vendors flagged this skill as clean.