ClawHub

Runpod

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Runpod connector, but it can disrupt or delete cloud workloads and includes an automatic remote installer pattern that users should review before use.

Install only if you trust OOMOL and intend to let the agent operate your Runpod account. Confirm exact pod IDs and intended effects before stop, reset, restart, or delete actions, and review the oo CLI installer source or use a safer verified install path instead of letting an agent run remote install scripts automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This action documentation describes a destructive operation that resets a Runpod pod but provides no warning about service interruption, loss of in-memory state, or the need to confirm the target pod before execution. In an agent skill context, the lack of explicit caution increases the chance of accidental misuse or unsafe automation against production infrastructure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This action documentation clearly states it stops a Runpod Pod, but it does not warn that stopping a pod can interrupt active workloads, terminate in-memory state, or cause service disruption. In an agent skill that may be invoked automatically for any Runpod request, omission of this caution increases the chance of unintended destructive use without adequate user confirmation.

External Script Fetching

High
Category
Supply Chain
Content
- **`oo: command not found`** — install the oo CLI (other platforms: <https://cli.oomol.com/install-guide.md>):

  ```bash
  curl -fsSL https://cli.oomol.com/install.sh | bash    # macOS / Linux
  ```

  ```powershell
Confidence
97% confidence
Finding
curl -fsSL https://cli.oomol.com/install.sh | bash

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal