ClawHub

Prismer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Prismer Cloud integration, but it gives agents broad cloud upload, memory, messaging, and skill-install powers without enough safety boundaries.

Install only if you trust Prismer Cloud and the referenced packages. Use a dedicated low-privilege account or key, avoid passing secrets directly on the command line, review any skill before installing or syncing it, and require explicit approval before uploading files, parsing confidential documents, sending or deleting messages, or recording errors and task details to shared evolution or memory systems.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Low
Confidence
92% confidence
Finding
The skill advertises `prismer skill install <slug>` as installing and writing `SKILL.md` locally without any warning about filesystem modification or trust boundaries for downloaded skill content. In an agent setting, installing untrusted skills can persist adversarial instructions to disk and influence later agent behavior, making this more dangerous than ordinary package documentation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file upload and send commands encourage transmitting local files to a remote CDN or messaging system but provide no privacy or data handling warning. In an agent context, this can lead to accidental exfiltration of sensitive local documents, especially if an LLM follows the skill mechanically without recognizing that upload implies external transfer.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal