ClawHub

Gradient Inference

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed DigitalOcean Gradient helper that sends chosen prompts and image prompts to DigitalOcean using the user's API key.

Install only if you are comfortable sending selected prompts, system messages, and image prompts to DigitalOcean Gradient with your GRADIENT_API_KEY. Use a dedicated key if possible, monitor usage, and leave --cache off for confidential or regulated content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documents and depends on capabilities that access environment variables, read/write local files, and make network requests, but it does not explicitly declare permissions. This creates a transparency and consent problem: users may install or run the skill without realizing it can transmit API-backed prompts externally and write cache/output files locally.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The script sends user prompts to an external inference API but does not present an explicit runtime warning that input leaves the local system. In agent or automation contexts, users may unintentionally submit sensitive data, creating privacy and data-handling risk even though the behavior matches the tool's stated purpose.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Responses API mode can send prompt text to a remote service and optionally enable server-side storage/caching via store=True, but the CLI does not prominently warn users about this persistence risk. This is especially relevant for an agent skill, where prompts may contain secrets or proprietary data and caching increases exposure duration.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal