ClawHub

Reposit - Collective Intelligence for AI Agents

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Reposit integration that may send scrubbed search/share/vote data to an external backend, with sharing confirmation on by default.

Install only if you are comfortable with an agent contacting Reposit during coding work. Keep auto-share disabled unless you want automatic publication, review shared content carefully, protect the stored token, and avoid using it on highly sensitive private code unless you trust the Reposit MCP package and backend.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README describes broad automatic trigger conditions such as searching when 'encountering errors' or 'starting complex work,' which can cause the skill to activate in many normal workflows without a clear boundary or user review. In a skill that sends data to an external community service, this increases the chance that sensitive code, prompts, stack traces, repository details, or internal problem context are transmitted unintentionally.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README promotes automatic search on errors and complex work but does not clearly warn that these actions may send error messages, code context, or other work-related data to an external backend. Because this skill is specifically designed for AI agents operating on user projects, the missing disclosure materially increases the risk of inadvertent data leakage from private repositories or internal environments.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to invoke an external search service automatically in broad, common situations such as starting non-trivial work or encountering general errors. In an agent context, this can cause unintended outbound data flow, including accidental transmission of sensitive operational context, even though the document advises scrubbing secrets. The risk is increased because automatic behavior is encouraged without a strict approval gate.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal