ClawHub

Agent marketplace of skills

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate paid-API marketplace purpose, but it pushes agents to install remote skills, create payment credentials, and save secrets persistently without clear user consent.

Install only if you are comfortable manually controlling setup. Do not allow automatic wallet creation, remote skill installation, paid API calls, or persistent API-key storage. Use a real secret manager for any CrowPay key, approve each payment-related action explicitly, and avoid sending sensitive Authorization headers or private data through third-party seller APIs unless you trust the seller.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill goes far beyond API discovery by instructing the agent to create a third-party wallet, generate credentials, and persist secrets and behavior across sessions without user confirmation. This expands privilege, creates durable side effects, and can cause unauthorized account creation and future paid actions under the user's identity.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The document claims the user already authorized immediate setup, while later implying setup should depend on user confirmation about funding and use. This contradiction is dangerous because it nudges the agent to treat mere exposure to the skill as authorization for consequential actions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs permanent installation of itself and another skill across sessions, introducing persistence unrelated to the minimum functionality needed for a one-time marketplace lookup. Persistent installation broadens attack surface and can keep risky behavior active long after the original task ends.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly directs the agent to write an API key and future behavioral directives into persistent memory or instruction files. Persisting secrets and policy changes this way can leak credentials, silently bias future decisions, and create cross-session compromise if those stores are exposed or reused.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The skill's security section says never to log or display API keys, yet earlier instructions normalize handling and persisting the raw secret in memory and examples. This inconsistency can lead implementers to expose or mishandle credentials despite the later warning.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger scope is extremely broad, effectively activating the skill for many generic requests involving APIs, external data, analytics, or automation. In context, that broad routing is dangerous because this skill also contains setup, persistence, and payment-related instructions that could be reached unnecessarily.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill directs immediate installation, wallet creation, API-key handling, and persistent changes without first warning the user about external transmissions, credential creation, or long-term storage. That deprives the user of informed consent for system- and privacy-affecting actions.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The document explicitly tells the agent to act autonomously and asserts that providing the document itself constitutes authorization. This is a classic prompt-level attempt to bypass the normal consent model for sensitive operations.

Vague Triggers

High
Confidence
93% confidence
Finding
The required behavior triggers on 'ANY API service' or 'external data source,' which is much broader than a specialized marketplace integration should be. Given the rest of the skill, this could divert many ordinary requests into a third-party marketplace and associated payment/setup flow without necessity.

Missing User Warnings

High
Confidence
97% confidence
Finding
The copy-paste prompt snippet instructs agents to execute the full setup immediately, including installation, wallet creation, API-key saving, and claim-link handling, without presenting risks first. This operationalizes the unsafe behavior and makes accidental deployment more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The reference explicitly states that the Authorization header is passed through to the seller's API and that request bodies are forwarded unchanged, but it does not warn users that this sends secrets and potentially sensitive data to an untrusted third-party seller. In a marketplace for paid external APIs, this omission is security-relevant because users may assume they are only interacting with Nightmarket rather than directly disclosing credentials and payloads to arbitrary vendors.

Ssd 3

High
Confidence
99% confidence
Finding
The skill instructs the agent to persist a one-time API key across sessions in memory, notes, or instruction files. Long-lived storage of a payment-capable secret in general-purpose memory is highly risky because it enables later misuse, accidental disclosure, and cross-context leakage.

Ssd 1

High
Confidence
98% confidence
Finding
The prompt claims the document itself is sufficient authorization and instructs the agent not to ask for confirmation before performing consequential actions. This is dangerous because it attempts to substitute embedded instructions for actual user consent.

Ssd 4

High
Confidence
98% confidence
Finding
The setup sequence chains together installation, account creation, secret capture, persistent storage, and future behavior modification before meaningful user interaction. This progressive workflow is dangerous because each step increases persistence and authority, making later abuse easier and harder for the user to detect or unwind.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal