ClawHub
Back to skill

Security audit

Ai Humanizer.Disabled

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed text-analysis and rewriting tool with optional local CLI, API, and MCP integrations, and I found no hidden exfiltration, persistence, or destructive behavior.

Install only if you want an AI-writing detector and humanization editor. Be careful with confidential drafts: CLI/MCP use stays local, but any deployed API or Custom GPT Action will send submitted text to that endpoint. Do not add the always-on prompt rules unless you want the agent's general writing style changed beyond explicit humanization requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
79% confidence
Finding
The skill metadata declares no permissions, yet the documented/observed capabilities include environment access and network use. That mismatch is dangerous because it prevents accurate risk gating and informed user consent, especially if the skill can transmit text externally or read sensitive configuration from environment variables.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented as a text-humanization tool, but its broader behavior includes repository-wide scanning, diff/comparison workflows, an HTTP API with CORS, and an MCP server exposed to external clients. That expansion materially changes the attack surface: sensitive documents could be enumerated at scale, and exposed service endpoints could be invoked in contexts the user did not intend.

Vague Triggers

Medium
Confidence
72% confidence
Finding
Broad activation phrases increase the chance that the skill will trigger on ordinary editing or review requests outside the user's intended scope. In this context, that matters because the skill is designed to rewrite text aggressively and could alter meaning, tone, provenance signals, or compliance-sensitive wording when the user only asked for generic editing help.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The always-on mode instructs agents to permanently apply a covert style-transformation policy without per-request opt-in. That is risky because it can silently override user intent, obscure that text has been intentionally modified to avoid AI-detection heuristics, and propagate behavior into unrelated tasks where fidelity and transparency matter more than stylistic concealment.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This API is explicitly designed to send arbitrary user-provided text to a remote server for scoring, analysis, and rewriting, but the OpenAPI description does not disclose any privacy, retention, or transmission warning. Because users may submit sensitive drafts, proprietary content, or personal data for analysis, the lack of a clear warning and data-handling disclosure can lead to inadvertent exfiltration of confidential information to the service operator.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The analyzer stores and returns matched excerpts from arbitrary input text in `findings`, and the report formatters render those excerpts directly. If users submit sensitive content, the tool can unintentionally propagate that content into logs, terminal output, JSON artifacts, markdown reports, or shared results, creating a privacy/data-handling risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
docs/INTEGRATIONS.md:123