ClawHub

Api Resilience Handler

Security checks across malware telemetry and agentic risk

Overview

This is a local API error analysis and logging helper; its behavior matches its stated purpose, though users should avoid logging secrets because it stores raw error text locally.

Install only if you want a local Node.js helper for API error triage. Use the log command carefully: redact tokens, customer data, request bodies, and private URLs before logging, and remember that .api-errors.json will remain in the directory where the script is run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
Broad trigger keywords like 'error', 'retry', 'api', and 'exception' can cause unintended activation in many unrelated contexts. In an agent ecosystem, accidental invocation can expose internal context to the skill, trigger unintended logging/statistics collection, or interfere with normal workflows, increasing the risk of prompt-routing mistakes and data handling issues.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The manifest trigger phrase 'api error handler' is ambiguous enough to match broad operational conversations rather than an explicit request to invoke this skill. In a system with automatic skill selection, this can lead to unintended routing, causing the skill to process prompts or log error details when the user did not intend that behavior.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The log command persists raw user-supplied error text and optional context into .api-errors.json without any notice, consent, redaction, or sensitivity checks. In this skill's context, error strings and context commonly contain API keys, tokens, URLs, request payloads, stack traces, or customer data, so silent local persistence can create an unintended secrets and privacy exposure on disk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal