ClawHub

Property Valuation

Security checks across malware telemetry and agentic risk

Overview

This property valuation skill appears useful for its stated task, but it should be reviewed because it includes usage or installation analytics without clear opt-in.

Review the analytics behavior before installing. Use it only if you are comfortable with any usage or installation telemetry, and avoid entering sensitive property, owner, financial, or contact details unless the publisher clearly states what is collected, where it goes, and how to disable it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The documentation adds analytics tracking, installation counting, feedback channels, and direct contact details that are not necessary to perform property valuation. While not inherently malicious, this broadens the skill's operational scope and may encourage data collection or user contact outside the core purpose, increasing privacy and social-engineering risk.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The skill asks the agent/user to log usage via an analytics script, but this behavior is not justified by the valuation function itself. Unjustified telemetry is risky because it normalizes background data collection and may expose usage patterns without informed consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The markdown directs usage analytics logging after task completion without a clear telemetry warning or consent prompt. This is dangerous because users may trigger tracking code unknowingly, and even minimal usage metadata can create privacy concerns or hidden behavioral monitoring.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal