ClawHub

umami-setup

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Umami setup guide, but it explicitly teaches users to deploy and verify analytics that bypass ad blockers.

Review before installing or using. Use only on sites you control, decide explicitly whether bypassing ad blockers is acceptable, update privacy notices and consent/opt-out handling where required, and avoid pasting admin passwords or bearer tokens into shared shells, logs, or screenshots.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly promotes a same-domain proxy 'to bypass adblockers' and 'Adblockers can't distinguish it from your own assets,' but it does not warn users that this intentionally circumvents user privacy controls and enables analytics collection despite blocking preferences. That omission is security- and privacy-relevant because it normalizes stealth tracking behavior and could lead operators to deploy deceptive telemetry without informed consent or legal review.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The guide instructs users to authenticate with Umami admin credentials and store the returned bearer token in a shell variable, but provides no warning about shell history, process exposure, least-privilege use, or token handling. While common in admin documentation, this omission can expose sensitive credentials or reusable API tokens on shared machines, CI logs, or copied terminal transcripts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal