ClawHub

Aport Id

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is coherent for registering an APort identity, but users should understand it sends an email and agent profile to APort and may make the passport publicly visible.

Before installing or using this skill, confirm you are comfortable sending your email, agent name, description, capabilities, and optional deliverable criteria to APort. Change or confirm showInGallery before issuing a passport, and review any saved aport-passport.json or README badge before sharing a repository.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly directs the agent to collect the user's email and identity details and send them to a third-party API, but it does not present a clear upfront consent and data-sharing warning before collection. Because the email is used to create an external identity record and trigger a claim email, users may disclose personal data without understanding that it will be transmitted to and processed by APort.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The registration flow sets `showInGallery: true` in the sample payload and later instructs the agent to share a public passport URL, but the skill never warns up front that submitted identity information may become publicly accessible or listed in a gallery. This creates a real privacy risk because users may unintentionally publish identifying information and persistent agent metadata to the public internet.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal