ClawHub

URLMitra Link Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed URLMitra API helper that uses an API key to manage and inspect links, with privacy considerations but no hidden or malicious behavior found.

Install only if you trust URLMitra with your link metadata and semantic search terms. Use the least-privileged API key available, avoid sending confidential internal URLs or sensitive query text unless approved, and treat link creation, whole-workspace sweeps, and manual health checks as actions that should be user-directed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to send workspace URLs, aliases, health data, and semantic search queries to an external API using a privileged workspace key, but it provides no warning, consent requirement, or data-handling limitation. This creates a real risk of unreviewed external transmission of potentially sensitive internal metadata and search content.

External Transmission

Medium
Category
Data Exfiltration
Content
env:
        - URLMITRA_API_KEY
      bins:
        - curl
        - jq
    primaryEnv: URLMITRA_API_KEY
---
Confidence
88% confidence
Finding
curl - jq primaryEnv: URLMITRA_API_KEY --- # URLMitra Link Manager Skill This skill extends your OpenClaw agent, enabling it to manage branded redirects, audit links for broken destinati

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Content-Type: application/json" \
      -H "X-API-Key: $URLMITRA_API_KEY" \
      -d '{"url": "{url}", "alias": "{slug}"}' \
      https://api.urlmitra.com/api/v1/links
    ```

### 2. Live Redirect Health Diagnostics
Confidence
93% confidence
Finding
https://api.urlmitra.com/

External Transmission

Medium
Category
Data Exfiltration
Content
*   **Command (Whole Workspace Sweep):**
    ```bash
    curl -s -H "X-API-Key: $URLMITRA_API_KEY" \
      https://api.urlmitra.com/api/v1/health/summary
    ```
*   **Command (Specific Link Verification):**
    1. Resolve the alias to its core document context first:
Confidence
94% confidence
Finding
https://api.urlmitra.com/

External Transmission

Medium
Category
Data Exfiltration
Content
1. Resolve the alias to its core document context first:
       ```bash
       curl -s -H "X-API-Key: $URLMITRA_API_KEY" \
         https://api.urlmitra.com/api/v1/links/{alias}
       ```
    2. Extract the `"id"` property from the resulting JSON, and POST to trigger the manual checker:
       ```bash
Confidence
91% confidence
Finding
https://api.urlmitra.com/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
       curl -s -X POST \
         -H "X-API-Key: $URLMITRA_API_KEY" \
         https://api.urlmitra.com/api/v1/health/check/{linkId}
       ```

### 3. Semantic Resource Retrieval
Confidence
90% confidence
Finding
https://api.urlmitra.com/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Content-Type: application/json" \
      -H "X-API-Key: $URLMITRA_API_KEY" \
      -d '{"query": "{searchTerm}"}' \
      https://api.urlmitra.com/api/v1/mitra/search
    ```

## Trigger Intents
Confidence
98% confidence
Finding
https://api.urlmitra.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal