ClawHub

Ace Competitions

Security checks across malware telemetry and agentic risk

Overview

This skill is aligned with competition automation, but it asks an agent to submit real entries, use personal contact details, monitor verification messages, publish tracking data, and run scheduled jobs without enough user control or privacy boundaries.

Review before installing. Use only dedicated competition email/phone credentials, require human approval before each submission and verification step, confirm the referenced helper scripts, restrict dashboard/API access, and define how screenshots, logs, backups, and personal data are retained or deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill automates competition entry using personal contact details, handles email/SMS verification, and stores entry/tracking data, but it does not present a clear privacy notice, consent boundary, or data-handling warning to the operator. This creates a real privacy and compliance risk because sensitive personal data may be submitted to third-party sites and persisted locally without explicit user awareness of exposure, retention, or verification-message handling.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill documents publicly reachable dashboard and JSON endpoints that expose competition activity metadata, but it does not warn users that their entry behavior, schedules, and possibly identifying information may be visible through Mission Control or direct API access. Even if the dataset seems operational, exposing activity patterns and associated records can leak sensitive behavioral and personal information and expand the attack surface for scraping or profiling.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal