ClawHub

Reveal Product Feedback

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Reveal integration, but it needs review because it can use a Reveal API key, change account state, and create persistent webhooks with incomplete scoping guidance.

Install only if you intend to connect your Reveal account. Keep REVEAL_API_KEY private, avoid setting REVEAL_BASE_URL unless you fully trust the endpoint, and require explicit confirmation before creating or changing tasks, marking notifications, generating paid or persistent media jobs, or registering webhooks. For webhooks, use only URLs you control, limit events, store the signing secret securely, and remove unused webhooks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description is broad enough to activate on generic requests about feedback, reviews, sentiment, marketing images, or videos, not just clearly authenticated Reveal-account operations. That can cause the agent to invoke this skill in contexts where the user did not intend to access Reveal, increasing the chance of unintended data access, account-scoped actions, or external API calls with privileged credentials.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The webhook workflow tells the agent to register any user-provided callback URL but does not require a warning that Reveal will send event data to that destination. This can lead users to expose review or operational metadata to third-party endpoints they do not control or misunderstand, especially because webhook setup is a persistent outbound integration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal