ClawHub

solar-delegation

Security checks across malware telemetry and agentic risk

Overview

This skill appears aimed at model or gateway setup, but it asks for persistent configuration and service changes while handling API-key setup without enough safety guidance.

Review the setup steps before installing. Only proceed if you are comfortable with it changing gateway/model configuration and possibly restarting services, and store OpenRouter keys through environment variables or a secret store rather than checked-in JSON. Back up existing config first and require explicit confirmation before any persistent changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to apply threshold/session changes to persistent memory or configuration, but it does not require an explicit confirmation or warning that durable settings will be modified. This can cause unintended configuration drift or unauthorized environment changes if a casual user request is interpreted as approval to update persistent state.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The first-time setup steps direct the agent to modify gateway configuration and restart or reload services, but they do not include a prominent warning about system impact or a hard confirmation gate before making those changes. In practice, this could lead to service disruption, unexpected provider routing changes, or accidental exposure of API-backed integrations through an automated setup flow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to place a real OpenRouter API key directly into a JSON configuration example, but does not warn against committing secrets to disk, source control, screenshots, or logs. This creates a realistic risk of credential exposure and unauthorized model usage, especially because setup guides are often copied verbatim into persistent config files.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal