ClawHub

Cuihua Logger

Security checks across malware telemetry and agentic risk

Overview

This is a local logging helper whose behavior matches its purpose, but its generated examples need privacy review before production use.

Install only if you will review the generated logging before committing it. Do not log passwords, tokens, session IDs, auth headers, full request bodies, payment details, unnecessary emails/IPs, or production stack traces; prefer allowlisted fields and redaction middleware.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill strongly promotes request and user-context logging, including identifiers like email, IP, and request metadata, while giving only a brief best-practice warning later in the document. In a logging-focused skill, this omission is materially risky because users may copy patterns that capture personal data, secrets, or regulated information into production logs, increasing exposure through log aggregation, retention, and incident response workflows.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The generated wrapper logs raw function arguments, error messages, and stack traces, which can capture secrets, tokens, PII, and internal paths. In a logging-assistant skill, this is more dangerous because users are likely to paste the generated code directly into production services, turning unsafe defaults into broad sensitive-data exposure.

Ssd 3

Medium
Confidence
97% confidence
Finding
Recording all arguments and detailed errors creates a direct path for sensitive user input to be persisted in logs, including passwords, API keys, session identifiers, and personal data. Because the skill markets itself as producing production-ready logs, unsafe capture of all inputs is especially risky and likely to be adopted without review.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal