ClawHub

Multisage

Security checks across malware telemetry and agentic risk

Overview

The skill’s main purpose is clear, but its setup instructions can expose the Multisage API key by printing it from local environment files into the agent session.

Install only if you trust the Multisage npm package and provider. Before use, configure the API key securely without printing it in the agent session, and avoid sending sensitive information in prompts because the query is shared with multiple external AI services.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

Your Multisage API key could be revealed in the session transcript or logs, allowing anyone with access to use your Multisage account credits.

Why it was flagged

This setup command can print the full Multisage API key from local environment files into the agent/tool output, exposing a credential even though the credential is purpose-aligned.

Skill content
grep MULTISAGE_API_KEY .env 2>/dev/null || grep MULTISAGE_API_KEY ~/.env 2>/dev/null
Recommendation

Set MULTISAGE_API_KEY outside the agent transcript, avoid commands that print the secret, and update the skill to declare the credential and use a non-printing presence check.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing the CLI gives code from the npm package the ability to run locally, so package provenance matters.

Why it was flagged

The skill depends on an externally installed global npm package that is not included in the reviewed artifacts. This is central to the stated purpose, but users must trust the package source.

Skill content
npm install -g multisage
Recommendation

Verify the npm package publisher and version before installing; prefer a pinned, documented install method where possible.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Questions you ask through this skill may be processed by multiple external AI services.

Why it was flagged

The skill explicitly sends the user’s query to Multisage and multiple external AI providers. This is purpose-aligned and disclosed, but it is an important data-flow consideration.

Skill content
Multisage sends your question to Claude, GPT, and Gemini simultaneously
Recommendation

Avoid sending secrets, private documents, or regulated data unless you are comfortable with Multisage and its downstream provider handling.