ClawHub

Online Analysis

Security checks across malware telemetry and agentic risk

Overview

This is a local testing-analysis skill that reads user-chosen data files and produces reports, with no evidence of hidden network access, persistence, or destructive behavior.

Install only if you trust the publisher and are comfortable running local Python scripts. Use a trusted Python environment for numpy, run the scripts only on files you intend to analyze, and sanitize logs or API responses first because generated reports may include business data, personal data, tokens, or other sensitive values.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The activation phrases are broad, generic terms like '日志分析', '数据流分析', and '异常检测' that are likely to appear in ordinary user conversations. This can cause unintended skill invocation, which is risky because the skill is designed to process logs, API responses, and other potentially sensitive testing data without an explicit confirmation boundary.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README promotes analyzing logs, data streams, transaction data, and API responses but does not warn that these inputs may contain secrets, credentials, personal data, or regulated business information. In a real-time analysis skill, missing privacy and handling guidance increases the likelihood that users will expose sensitive data to the tool or downstream outputs such as generated reports.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are very broad, including generic terms like 'online analysis', 'rule extraction', and 'anomaly detection', which are likely to appear in many unrelated requests. Overbroad activation can cause the skill to run unexpectedly on sensitive user content such as logs or operational data, leading to unnecessary data handling or confusing tool selection.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest description says the skill activates for broad concepts such as 'real-time data rule extraction' and 'log/stream data analysis for testing' without clearly limiting data sources, sensitivity, or user confirmation requirements. This ambiguity increases the risk of the skill being invoked in contexts involving live operational or sensitive data where the user may not expect such processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is designed to analyze live streams, logs, and database query data, all of which commonly contain secrets, personal data, or internal business information, yet it provides no warning about these privacy and confidentiality risks. Users may supply sensitive inputs without understanding the exposure, especially since the skill also offers exporting analysis results, which can further propagate confidential data.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal