ClawHub

Cuihua Error Handler

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a legitimate error-handling helper, but its generated examples can add risky logging and response patterns that may expose sensitive application data.

Review any generated changes before applying them, especially in auth, payment, database, and API-route code. Redact or remove generated logging of full arguments, request bodies, payloads, tokens, payment details, stack traces, and raw internal errors, and verify retries, fallbacks, circuit breakers, and rollbacks do not change production behavior in unsafe ways.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README suggests very broad natural-language invocations like "Check error handling coverage in src/" and "Add error handling to processPayment function" without defining scope boundaries, confirmation steps, or excluded files. In an agentic environment, such open-ended triggers can cause the skill to operate on more code than intended, modify sensitive paths, or apply risky automated changes to security-critical functions without adequate review.

Ssd 3

Medium
Confidence
95% confidence
Finding
The example logs the full request body and includes detailed error information in responses under some conditions. This can expose sensitive fields such as user identifiers, payment details, tokens, or internal exception content to logs and clients, increasing the chance of data leakage and reconnaissance.

Ssd 3

Low
Confidence
94% confidence
Finding
The fallback user object includes the original internal error message in the returned payload. Even when impact is limited, exposing backend error text to callers can reveal implementation details, dependency failures, or operational state that aids debugging for an attacker.

Ssd 3

Low
Confidence
94% confidence
Finding
The external API fallback response returns raw internal error text to the caller. This leaks backend and dependency failure details that can help attackers map services, trigger-specific behaviors, or infer outage conditions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal