ClawHub

Agent Dashboard — real-time progress board for any task

Security checks across malware telemetry and agentic risk

Overview

This is a transparent progress-dashboard skill, but users should know it sends numeric task metrics to an unauthenticated third-party statb.io board.

Install only if you are comfortable with progress counters and task metrics being sent to statb.io and visible to anyone with the board URL. Use explicit consent before enabling it on private work, and keep board IDs and metric keys generic.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill is defined to activate for virtually any long-running or multi-step task, which can cause routine agent work to automatically send progress metadata to an external third-party service. Because the skill encourages use across coding, deployments, scraping, CI, and data processing, it materially increases the chance of unintended data egress and user surprise even when the task does not require external telemetry.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Several trigger phrases such as 'monitor progress' and 'keep me updated on progress' are common, ambiguous requests that do not clearly imply consent to contact an external service. This creates a realistic risk that the agent will invoke the skill and transmit operational metadata off-platform based on ordinary language that users may expect to be handled locally.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill presents statb.io as a simple dashboard mechanism but does not prominently warn that using it sends task-derived metadata to an external service with no access control. Although it mentions not to push sensitive data later, the lack of an upfront disclosure means users and downstream agents may enable telemetry without understanding the privacy and confidentiality implications.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal