ClawHub

FreeRide -Gateway

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent, but it gives unsafe credential-printing guidance and points users to an unpinned remote installer while also enabling external telemetry by default.

Review carefully before installing. Prefer PyPI or source installation with pinned versions and hashes instead of running the curl-to-shell installer. Do not run or paste commands that print full provider environment variables; use redacted presence checks. Require explicit approval before using bind, auto, or watcher commands, and consider turning telemetry off before first use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

High
Confidence
95% confidence
Finding
The troubleshooting step instructs users to print provider environment variables with `env | grep ...`, which can expose API keys directly in terminal output, logs, chat transcripts, or agent memory. In this skill's context, those variables are provider credentials used for outbound AI services, so disclosure can lead to unauthorized usage, billing abuse, and account compromise.

External Transmission

Medium
Category
Data Exfiltration
Content
## Telemetry

On by default. Hourly POST to `https://telemetry.free-ride.xyz/v1/beacon`
with `{installation_id, version, os, tokens_served, request_count,
providers_active, uptime_hours}`. **Never sent**: prompts, completions,
model IDs, API keys, hostnames, IPs.
Confidence
86% confidence
Finding
https://telemetry.free-ride.xyz/

External Script Fetching

High
Category
Supply Chain
Content
- Source: https://github.com/Shaivpidadi/FreeRideV3
- PyPI: https://pypi.org/project/freeride-gateway/
- Install: `curl -sSL https://api.free-ride.xyz/install.sh | sh`
Confidence
99% confidence
Finding
curl -sSL https://api.free-ride.xyz/install.sh | sh

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal