ClawHub

Doubleword API

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Doubleword batch API helper whose external uploads and API-key use are explicit and aligned with its stated purpose.

Before using it, confirm Doubleword is the intended provider, use an appropriate API key, and review or redact JSONL batch files because their prompts and request bodies will be sent to the external API and may affect account usage or cost.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly instructs users to upload batch request files containing prompts and request bodies to a third-party service, but it provides no privacy, consent, retention, or data-classification guidance. In this context, batch files may contain sensitive user prompts, proprietary content, or personal data, so omission of handling warnings creates a real data-exposure risk even if the feature is intended behavior.

External Transmission

Medium
Category
Data Exfiltration
Content
Upload the JSONL file:

```bash
curl https://api.doubleword.ai/v1/files \
  -H "Authorization: Bearer $DOUBLEWORD_API_KEY" \
  -F purpose="batch" \
  -F file="@batch_requests.jsonl"
Confidence
95% confidence
Finding
curl https://api.doubleword.ai/v1/files \ -H "Authorization: Bearer $DOUBLEWORD_API_KEY" \ -F purpose="batch" \ -F file="@batch_requests.jsonl" ``` Response contains `id` field - save this file

External Transmission

Medium
Category
Data Exfiltration
Content
Upload the JSONL file:

```bash
curl https://api.doubleword.ai/v1/files \
  -H "Authorization: Bearer $DOUBLEWORD_API_KEY" \
  -F purpose="batch" \
  -F file="@batch_requests.jsonl"
Confidence
95% confidence
Finding
https://api.doubleword.ai/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal