ClawHub
Back to skill

Security audit

AppScreenshotStudio

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent App Store screenshot generator, but users should review what project details are sent to AppScreenshotStudio before running it.

Install only if you are comfortable using AppScreenshotStudio as a third-party service. Before generation, review the app summary, colors, screen names, and metadata the agent found; remove secrets, unreleased strategy, or proprietary details you do not want sent externally; and confirm credit-spending chat calls before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation guidance is broad enough to trigger on common requests like "generate screenshots" or "ship a new app," which can cause the skill to run in situations where the user did not explicitly consent to external processing. In this skill, that is more dangerous because subsequent steps instruct the agent to inspect the local codebase and send derived project context to a third-party API.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill tells the agent to read multiple local project files and build structured codebase context, but it does not provide a user-facing warning that this information will be transmitted to an external service. That creates a real data-exposure risk because repository metadata, app structure, branding details, and store configuration may be sensitive or proprietary even if not obviously secret.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.