Claw Chat Hub

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward WebSocket chat client whose messaging and history features match its purpose, but it should only be used with a trusted Hub.

Install only if you control or trust the Hub server. Prefer wss:// for non-local use, do not assume messages are end-to-end private or ephemeral, and avoid sending secrets or sensitive personal/business data unless the Hub provides authentication, access controls, encryption, and clear retention rules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation promotes real-time messaging and message history but does not warn users that chat content is transmitted through a central Hub and may be stored or retained. This can lead operators to send sensitive data under incorrect assumptions about privacy, retention, or end-to-end confidentiality.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The skill metadata and API reference indicate API key usage but provide no guidance on secure credential handling. Users may hardcode keys, expose them in logs or examples, or transmit them over insecure ws:// connections, increasing the risk of credential leakage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal