ClawHub

Clank Website Monitor

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal website-monitoring skill, but users should set clear targets and polling limits before using recurring checks.

Install only if you will configure specific URLs, clear monitoring goals, and conservative polling intervals. Do not use it to monitor private/authenticated pages or sites whose policies prohibit automated fetching, and review any scheduled checks so they can be stopped easily.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill includes executable shell-based implementation guidance using curl, diff, and file operations, but declares no permissions or operational boundaries. That mismatch is dangerous because a user or agent may run network requests and local shell commands without explicit consent, review, or sandboxing expectations.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The skill is framed as broadly monitoring websites for changes, prices, jobs, and social mentions without defining trigger limits, allowed targets, cadence, or user authorization boundaries. In an agent setting, that ambiguity can enable overbroad surveillance, excessive polling, or use against sites and data sources the user did not intend to monitor.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation promotes automatic periodic checks and shows direct network fetching with curl, but provides no warnings about privacy implications, terms-of-service concerns, server load, robots/rate limits, or handling of authenticated/personalized pages. This can lead to abusive polling behavior, unintentional collection of sensitive content, or operational impact on third-party websites.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal