ClawHub

Agent Relay Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it should be reviewed because it can control persistent Claude Code workers through a local API while sending operational data to Notion and optionally Telegram.

Install only if you are comfortable running a local relay that can control Claude Code sessions and record worker activity. Keep the service bound to localhost, protect the Notion token as a secret, review the external repository and npm dependencies first, disable Telegram unless needed, avoid sending secrets through worker messages, and periodically inspect or purge stored sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The Telegram ticker control expands the skill beyond the stated purpose of Claude worker orchestration with Notion visibility into an additional outbound notification/integration channel. Unrelated communication features increase attack surface and can enable unintended data disclosure or covert signaling, especially when paired with worker events and status data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs users to configure Notion credentials and run a local orchestration API but provides no warning about the sensitivity of those credentials, what data may be exposed through the API, or the privacy implications of worker/session visibility. In practice, this can lead users to deploy the service without understanding that local endpoints may expose operational metadata or connected-service data to other local processes or misconfigured network listeners.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal