ClawHub

Dashboard Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a scoped local helper for reading and updating one Jarvis dashboard data file, with automatic dashboard-state updates disclosed in its documentation.

Install this only if you want an agent to update the configured Jarvis dashboard data.json file. Keep a backup, verify the hard-coded path, and expect dashboard fields such as notes, logs, tasks, stats, heartbeat, and agent status to change during background or silent workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly describes autonomous background behavior that reads pending notes, updates tasks, writes logs, and synchronizes `data.json` every 2 seconds in silent mode, but it does not prominently warn that persisted state will be modified without direct user interaction. That creates a real safety issue because users or operators may enable the skill expecting passive dashboard access, while it can continuously alter application state and process queued items automatically.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The description 'Gère les interactions avec le dashboard Jarvis' is broad enough that an orchestrator could invoke this skill for many dashboard-related requests without clear boundaries. In this skill's context, that ambiguity is more dangerous because the manifest grants write access to a specific data file and enables system/file-management capabilities, increasing the chance of unintended privileged actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal