Aishuo ClawHub Check

Security checks across malware telemetry and agentic risk

Overview

This is a small, disclosed development smoke-test skill that documents a ClawHub publish check and contains no executable code.

Use this only as a disposable development integration test with a scoped ClawHub token. Expect it to publish a visible test record to ClawHub, and do not treat it as a production skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly documents that the backend reads an integration token from the environment and performs an external upload to ClawHub, but it provides no user-facing warning, consent boundary, or restriction language around credential use and outbound transmission. Even though this appears to be a development verification skill rather than overtly malicious code, normalizing environment-secret access plus third-party publication increases the risk of unintended credential use or data being sent externally during execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal