ClawHub

Lead Scorer

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised lead-scoring web and DNS checks, with security hardening cautions but no evidence of hidden data theft, persistence, or destructive behavior.

Install only if you are comfortable with a local script making DNS and web requests to lead domains and writing results to a path you choose. Avoid running it on untrusted or internal targets without adding private-address blocking, and consider restoring normal TLS certificate verification before relying on scores at scale.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill explicitly documents network access (DNS lookups, website scraping, sitemap fetching, social link analysis) and also supports writing results to a file via `--output`, yet no declared permissions are present. This creates a transparency and policy-enforcement gap: users and hosting systems may not realize the skill can make outbound requests and write local files, increasing the risk of unexpected data access or misuse in automated environments.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The usage and behavior imply active scraping of third-party websites and DNS/network requests, but the description does not prominently warn users that running the skill will contact external domains. While this is core to the skill's purpose, the missing warning can still cause surprise, compliance issues, or unintended scanning of targets when used in batch mode.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script performs outbound DNS lookups and HTTP/HTTPS requests against user-supplied domains, and extracts contact information from fetched pages, without explicit consent prompts, allowlisting, or disclosure. In agent or multi-tenant environments, this can cause unintended data egress, interact with attacker-controlled infrastructure, and expose internal usage patterns or scan targets through external requests.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal