ClawHub

Flexible Data Importer

Security checks across malware telemetry and agentic risk

Overview

This importer has a coherent purpose, but it asks for powerful database credentials and can upload local data to external services with too little safety scoping.

Review before installing. Use a test or staging Supabase project, avoid production service-role keys, back up data first, verify the actual npm package and publisher, keep API keys out of source control, and do not import confidential or regulated files unless you accept that samples or records may be sent to the LLM provider and Supabase.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly describes sending file-derived data to external services, including an LLM provider and Supabase, but provides no warning about privacy, sensitive data exposure, or data-handling expectations. This is dangerous because users may ingest confidential CSV/JSON/XLSX data under the assumption processing is local, resulting in unintentional disclosure of proprietary or regulated information to third parties.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly asks for a Supabase service role key and states it will create schema automatically, which implies high-privilege database modification. Without a clear warning about the power of that credential and the scope of database changes, users may unknowingly grant full administrative access and allow destructive or unintended schema/data operations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill describes importing local files into Supabase but does not clearly disclose that file contents will be transmitted over the network to a remote third-party service. This can cause accidental exfiltration of sensitive data if users assume processing is local or do not understand the destination and extent of data transfer.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal