ClawHub

Quack Code Review Hardened

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed external code-review integration, but users should only send code they intentionally want LogicArt or the linked repo scanner to analyze.

Install only if you are comfortable with selected code leaving your environment for third-party analysis. Before each use, confirm the exact snippet or file being sent, remove API keys, passwords, private keys, and customer or proprietary data you do not want shared, and avoid repository-wide scans unless you have reviewed and approved that broader scope.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description includes broad trigger phrases like 'review this code', 'analyze code', and 'find bugs', which are common requests in general coding workflows. This can cause the skill to auto-invoke in situations where the user did not specifically intend to send code to an external analysis service, increasing the chance of unintended data exposure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script reads arbitrary local source code and sends it to a third-party endpoint without any explicit runtime warning, consent prompt, redaction step, or trust boundary disclosure. In a code-review skill, this is especially risky because analyzed files may contain proprietary code, secrets, credentials, internal URLs, or customer data, so the primary danger is silent data exfiltration to an external service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal