ClawHub

UAPI 获取Gravatar头像 接口

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for one Gravatar avatar lookup endpoint, with privacy and routing caveats but no hidden execution or destructive behavior.

Install if you intend to use UAPI for Gravatar lookups. Prefer providing a Gravatar MD5 hash instead of a raw email when possible, and treat any email or hash submitted to the endpoint as personal data sent to an external service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The keyword list includes very broad triggers such as "gravatar" and "avatar lookup", which can match many requests that are not specifically asking to call this exact endpoint. That can cause unintended skill invocation and misrouting, leading the agent to select this skill when the user intended a different avatar-related flow or provider.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill metadata and default prompt are written to require Chinese-language interaction without indicating that the skill is locale-specific or giving the user a language choice. This can cause user confusion, reduce transparency, and lead to incorrect use of the API when users expect responses in another language, though it is not a direct code-execution or data-exfiltration issue.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs callers to send a user's email address to a Gravatar proxy/API but does not warn that email is personal data and may be disclosed to a third party or transformed into a stable identifier (MD5 hash). In this context, the omission can lead to unintended privacy exposure, weak user consent, and easier cross-service correlation of identities.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal