ClawHub

justinX

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a normal JustinX integration, but users should understand that stream data and credentials are sent to JustinX.

Install this only if you intend to use JustinX as a third-party streaming data service. Use scoped API keys and least-privilege broker credentials, avoid sending secrets or regulated data in stream payloads unless approved, confirm retention and compliance requirements, and rotate keys if they are pasted into configs or shell history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to connect MQTT/Kafka/webhook data and provide broker or API credentials to a third-party service, but it does not warn about data sensitivity, credential handling, tenant trust boundaries, or compliance implications. This is dangerous because users may route production telemetry, secrets embedded in payloads, or authentication material to an external platform without informed consent or appropriate safeguards.

External Transmission

Medium
Category
Data Exfiltration
Content
{
  "mcpServers": {
    "justinx": {
      "url": "https://api.justinx.ai/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY"
      }
Confidence
91% confidence
Finding
https://api.justinx.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**Via mcporter** (if you have the mcporter skill installed):

```
mcporter add justinx --url https://api.justinx.ai/mcp --header "Authorization: Bearer YOUR_API_KEY"
```

Then call tools with:
Confidence
90% confidence
Finding
https://api.justinx.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
create_connection type=webhook

# The response includes an ingestUrl. Send data to it:
# POST https://api.justinx.ai/connections/<id>/ingest
```

### Connect to Kafka
Confidence
93% confidence
Finding
https://api.justinx.ai/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal