ClawHub

Project sourcing engine. Supports 6 resource types (Skill/Service/Material/Equipment/Human/Digital). Built for engineers and AI agents. Homepage: https://www.pclawai.com

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Pclaw marketplace helper, but it can guide agents to publish listings, create matches, access earnings, or join paid expo flows without enough confirmation and account-scope safeguards.

Install only if you trust Pclaw and intend to let an agent work with that platform account. Before any publish, demand post, match, expo create/join, or earnings lookup, require the agent to show the exact account, API action, data being sent, price or budget impact, and ask for explicit approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill-level trigger phrases are broad business terms such as 发布需求、上架、展会 and 查技能, which can appear in ordinary conversation and may cause the agent to invoke this skill outside the user's intended platform context. Because this skill can lead to platform actions involving listings, demand publication, and account-linked operations, accidental activation could route user data or initiate unintended workflows.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The route-level triggers for MATCH use generic terms like 匹配、接单、响应需求 that are highly ambiguous and common across many domains. In context, these triggers map to a state-changing matching operation, so an imprecise dispatch layer could cause unintended platform-side actions or expose user intent/data to the wrong tool.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The DEMAND, MATCH, and related marketplace flows encourage sending detailed business descriptions, budgets, deadlines, and resource information to external platform APIs without warning that these inputs may contain commercially sensitive or regulated data. Users may disclose procurement plans, pricing expectations, project details, or third-party information without informed consent, creating confidentiality and data-handling risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The earnings and transaction-related features imply access to account-linked financial data, but the skill provides no warning that invoking these routes may retrieve sensitive revenue, payout, or transactional information. Without notice and explicit consent, the agent could surface or request financial data that users did not intend to access through an automated workflow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal