ClawHub

http-requests-1.0.0

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward HTTP request helper; its network access and local summary logging are disclosed and match its purpose.

Install only if you want a raw API request helper. Double-check destination URLs and mutating methods, use least-privilege tokens, avoid putting secrets in query strings or inline command examples when possible, and use --no-log for sensitive requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill explicitly performs outbound network requests and writes logs to disk, yet the metadata shown declares no permissions. That mismatch can bypass user/admin expectations and governance controls, making it easier for the skill to exfiltrate data over HTTP or persist sensitive operational metadata without informed approval.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are broad enough to activate on many ordinary API-related requests, without clear limits on when this skill should or should not run. In a skill that can send arbitrary HTTP requests, overbroad activation increases the chance of unintended network actions, SSRF-like misuse, or sending sensitive headers/body data to attacker-controlled endpoints.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The examples include authentication headers and a form field containing a password-like value, but the documentation does not warn users about handling secrets safely or avoiding transmission to untrusted endpoints. In a skill specifically designed to send arbitrary HTTP requests, this omission can normalize copying bearer tokens, API keys, or passwords into commands, increasing the chance of credential exposure through shell history, logs, screenshots, or accidental use against the wrong endpoint.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal