ClawHub

Peer Review

Security checks across malware telemetry and agentic risk

Overview

The skill’s peer-review purpose is plausible, but it relies on unbundled shell scripts and encourages external sharing and logging of review content without clear safeguards.

Review carefully before installing. Use only if you can verify the referenced scripts yourself and are comfortable with review content being posted to Discord or retained in logs. Do not use it on confidential drafts, regulated data, private code, or unpublished business material unless you add explicit redaction and retention controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs posting analyses and synthesized critiques to Discord channels, which can expose user-provided or model-generated sensitive content to additional recipients and create persistent third-party records. Because the workflow is framed as normal operation and lacks any warning, consent gate, redaction requirement, or data-classification check, it creates a real privacy and data-handling risk rather than a purely informational mention.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The integration guidance says agents should call peer review before publishing and log all reviews, which normalizes routine transmission and storage of potentially sensitive user content without disclosure or safeguards. In this skill's context, the reviewed material may include high-stakes analyses, making it more likely that confidential business, financial, or personal information could be retained in logs or shared systems unintentionally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal