ClawHub

Extract Error Patterns

Security checks across malware telemetry and agentic risk

Overview

This looks like a local log-analysis skill, but it asks for an unexplained API key and can copy sensitive log samples into output files, so it should be reviewed before installation.

Review before installing. Do not provide an API key unless the publisher documents the exact service, why it is needed, and how it is stored. Treat generated output as sensitive because it may include copied log lines containing tokens, emails, paths, stack traces, or customer identifiers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
74% confidence
Finding
Requiring an API key for a skill described as local log analysis introduces unnecessary secret collection and expands the trust boundary without justification. In skill ecosystems, undocumented or weakly justified credential requests can enable data exfiltration, misuse of external services, or phishing for secrets, especially when the surrounding documentation is templated and vague.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
Requiring an API key for a skill described as local log analysis introduces an unexplained external dependency and raises the possibility that log data or metadata may be transmitted off-host. In a security-sensitive context, undocumented credential use can lead to secret exposure, privacy violations, or unexpected data exfiltration.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
Documenting a write mode without explaining what data is modified or warning about side effects can cause users to run commands that alter files or generated rules unexpectedly. In a log-analysis skill, unclear write behavior is more concerning because users expect analysis, not mutation, and may supply sensitive datasets or production paths.

Missing User Warnings

Low
Confidence
72% confidence
Finding
Referencing required API credentials without any privacy, storage, or handling warning can lead users to expose secrets insecurely or provide credentials to a service they do not understand. Given the skill's stated purpose of processing server logs, this also raises concern that sensitive operational data could be sent to a third party without informed consent.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The activation condition is broad and underspecified: 'Use when (1) Extract error patterns from server logs and generate actionable alert rules.' Ambiguous triggering can cause the skill to be invoked on unintended inputs, including sensitive logs or contexts where extraction of structured data is inappropriate, increasing the chance of over-collection or mishandling of data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes generated alerts to a user-specified output file, and those alerts explicitly include `top_samples` copied from the input logs. Since logs often contain sensitive data such as tokens, emails, internal paths, stack traces, or customer identifiers, this behavior can silently propagate sensitive content into a new artifact that may be shared more broadly than the original logs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal