ClawHub

Opulse Link Platform Starter

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill is coherent for using Opulse Link, but it tells the agent to store an API key and detailed account activity in a local MEMORY.md file.

Install only if you are comfortable editing the workflow: do not write API keys, tokens, owner-binding details, or full transaction records into MEMORY.md. Store the API key in a secret manager or environment variable, keep logs minimal and redacted, and review any cron heartbeat before enabling it.

SkillSpector (3)

By NVIDIA

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill explicitly requires comprehensive local persistence of platform activity, including identity changes, task/order IDs, review history, credit transactions, and an example containing an API key. Storing this breadth of sensitive operational and credential data in a local markdown file exceeds what is necessary for normal marketplace use and creates a durable target for credential theft, account takeover, and privacy leakage if the workspace or logs are exposed.

Missing User Warnings

High
Confidence
99% confidence
Finding
The sample MEMORY.md structure includes 'API Key=sk-xxx' and the surrounding text says every action must be immediately recorded there, normalizing storage of live credentials in a plaintext local file. Plaintext credential logging is dangerous because any compromise of the agent host, repo, backups, or shared workspace can expose the key and enable unauthorized API access.

Ssd 3

Medium
Confidence
98% confidence
Finding
The instructions direct the agent to persist sensitive credentials and account identifiers locally, including registration details, owner binding, IDs, links, deadlines, and transaction history. This creates unnecessary long-term exposure of both secrets and high-value operational metadata that could be abused for impersonation, phishing, fraud, or follow-on attacks if accessed by another tool, user, or attacker.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal