ClawHub

Digital Clawatar

Security checks across malware telemetry and agentic risk

Overview

This skill largely matches its UNITH avatar-management purpose, but it can permanently delete hosted avatars and sends account/content data to external services with limited guardrails.

Install only if you intend to let this skill manage your UNITH account. Require explicit confirmation before any delete or major update, including the exact head ID and alias; protect UNITH_SECRET_KEY and consider disabling or relocating UNITH_TOKEN_CACHE; upload only documents approved for UNITH processing; and treat Voiceflow keys, plugin webhooks, and conversation content as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes shell scripts and external binaries (`bash`, `curl`, `jq`) and performs authenticated API operations, but it does not declare corresponding permissions. That creates a transparency and policy gap: an agent may execute networked shell actions with user-supplied credentials and perform create/update/delete operations without an explicit permission boundary.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The description contains broad activation language such as 'use when users want to create an AI-powered digital human' and several general-purpose scenarios, without strong trigger boundaries. This can cause overbroad invocation of a skill that has side effects, including authentication, resource creation, updates, deletions, and document uploads to a third-party API.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs agents to upload knowledge documents for `doc_qa` mode but does not warn that those files are transmitted to UNITH, a third-party service. Users may provide sensitive internal documents under the mistaken assumption that processing is local, leading to unintended external disclosure of proprietary or regulated data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation includes a live credential-bearing field (`voiceflowApiKey`) and shows its expected format, but provides no guidance on secret handling, redaction, storage, or avoiding accidental exposure in logs, examples, or client-side code. In an agent skill that helps users configure external services, this omission increases the chance that operators paste real API keys into insecure places or expose them downstream.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Plugin mode states that UNITH sends conversation messages to an external webhook, but does not warn that user prompts, responses, and possibly personal or sensitive data will leave the platform boundary and be processed by a third-party endpoint. In this skill context, that omission is security-relevant because the whole feature encourages routing conversational data to arbitrary infrastructure controlled by the operator.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document upload flow instructs users to send files to the service without cautioning that uploaded documents may contain confidential, regulated, or proprietary data. Because this mode is specifically designed for knowledge ingestion, users may upload sensitive internal material without understanding the disclosure, retention, or compliance implications.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The widget example logs avatar messages to the browser console, which can expose conversation content containing personal, sensitive, or proprietary data during debugging, screen sharing, or collection by monitoring tools. In a conversational avatar/document Q&A context, logged messages may include user-submitted content or model outputs that should not be retained in client-side logs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script caches a valid bearer token in /tmp by default, which is a shared world-accessible directory on multi-user systems. Although the file is chmod 600 after creation, writing first and placing sensitive credentials in /tmp increases exposure to race/symlink attacks, accidental persistence, and token theft if the file path is predictable or overridden unsafely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal