ClawHub

Crisis Detector

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent crisis-safety purpose, but it describes sensitive mental-health monitoring and emergency escalation with too little scoping and user-control detail.

Review before installing. Use this only in an environment with explicit user notice and consent, trained human review before emergency-contact or authority escalation, strict access controls for safety-team data, retention and deletion rules, audit logging, and a clear way to stop or reduce monitoring. Verify the external npm package separately before deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill advertises behavioral tracking and real-time monitoring capabilities without presenting an upfront, prominent warning in the primary description that user behavior may be continuously monitored over time. In a mental-health context, this can undermine informed consent and lead operators to deploy highly sensitive surveillance features without adequately understanding the privacy implications for vulnerable users.

Missing User Warnings

Critical
Confidence
98% confidence
Finding
The skill includes actions such as notifying safety teams, emergency contacts, and contacting authorities, but the description does not prominently warn users or deployers upfront that detected risk may trigger escalation to third parties. Because this concerns crisis intervention and highly sensitive mental-health data, lack of clear disclosure can result in unexpected privacy violations, unsafe escalation, and serious legal or ethical harm to users.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal