ClawHub

Skill Antivirus & Security Scanner

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Ziniao Browser bridge integration, but users should treat its API key setup as sensitive.

Install only if you intend the agent to control Ziniao Browser through your local ZClaw bridge. Treat ZCLAW_API_KEY as a secret: prefer environment or config-file setup, avoid pasting it into shared chats or screenshots, and review ~/.zclaw/config.json if you later want to rotate or remove access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly states that API keys are shown to the user and that credentials are stored under a local path, but it does not warn that these values are sensitive secrets that should not be copied into chats, logs, screenshots, or shared terminals. In an agent setting, normalizing the display and handling of API keys increases the chance of accidental credential disclosure and unauthorized account linkage or quota abuse.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The onboarding flow describes automatic key retrieval, local credential persistence, and immediate activation without clearly informing the user that installation changes local state and may link the agent to a remotely managed service. That lack of transparency can lead users to approve installation without understanding filesystem modifications, background account association, or the privacy and security implications of stored credentials.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal