ClawHub

Kyndlo Events

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent Kyndlo event workflow, but it gives agents broad production event and campaign authority that users should review first.

Install only if you intend an agent to use your Kyndlo token to claim tasks, create events, submit validations, and potentially access broader event-management commands. Use the least-privileged token available, start with small batches, review what the agent is about to do before confirming, and avoid the documented update/delete or campaign seeding commands unless you explicitly want those administrative changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill advertises very broad trigger phrases like 'create events' and 'generate events', which could cause accidental invocation during ordinary conversation. Because this skill can claim tasks, query campaigns, and create records in external systems, unintended activation can lead to unauthorized or surprise actions in the Kyndlo environment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow instructs the agent to immediately verify credentials and relies on API tokens and external service keys, but it does not clearly warn users up front that their credentials and linked external services will be used. In practice, this can cause users to authorize actions against sensitive third-party systems without informed consent, especially if the skill is triggered accidentally or by ambiguous requests.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill directs the agent to perform Google Places queries and even optional web searches to validate venues, but it does not provide a clear privacy disclosure before sending user-selected campaign/location context to external services. This creates unnecessary privacy and compliance risk because operational data about campaign targets, counties, and venue selection can be transmitted to third parties without explicit user awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal