ClawHub

AgentReviews

Security checks across malware telemetry and agentic risk

Overview

This skill is a location-based review helper with real privacy considerations, but its sensitive behavior is mostly disclosed, opt-in or user-directed, and aligned with its purpose.

Install only if you are comfortable using AgentReviews with an API token and sharing venue/location context for nearby search and review posting. Keep proactive mode disabled unless you explicitly want location-triggered suggestions, and avoid configuring a signing helper unless your runtime stores keys securely.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The documented proactive location-triggered mode expands the skill from user-requested review/discovery into passive behavior based on location context. In a location-centric review skill, this can cause unexpected collection or inference of sensitive movement data and trigger actions the user did not explicitly request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises location-triggered proactive suggestions without an explicit privacy warning, despite location being sensitive personal data. Users may enable the feature without understanding that their presence near venues could be monitored, inferred, or used to generate unsolicited prompts tied to real-world movement patterns.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to use GPS context and venue resolution via external services, but it does not require an explicit user-facing notice that inferred/current location and venue data will be transmitted to third parties. This can cause silent disclosure of sensitive location-linked data, especially for nearby search, bathroom lookup, and review posting flows.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The error-handling guidance tells the agent to save review details and retry later, but it does not warn that this may retain user-generated text plus precise location-linked venue data outside the immediate interaction. Temporary retention of reviews, coordinates, and associated metadata creates privacy and data-minimization risk if stored without disclosure, limits, or protection.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal