ClawHub

api-spec-to-mock-server

Security checks across malware telemetry and agentic risk

Overview

This skill is a mostly documentation-only helper for generating mock servers from API specs, with no evidence of hidden execution, exfiltration, persistence, or destructive behavior.

Before installing, treat this as a code-generation aid: provide only API specs you are comfortable sharing with the agent, keep any API key in an environment variable, and review generated server files before running them. The README is template-like, so rely on SKILL.md for the actual activation scope.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README leaves the trigger condition as a placeholder ('When triggered: [trigger condition]'), so the activation boundary for the skill is undefined. In an agent environment, ambiguous invocation criteria can cause the skill to run in unintended contexts, increasing the chance that untrusted API specifications or unrelated user content are processed when they should not be.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README declares `API_KEY` as required but provides no guidance on secure storage, scoping, redaction, or privacy implications. This can lead users or downstream agents to expose credentials in command lines, config files, logs, prompts, or generated mock-server artifacts, creating unnecessary secret-handling risk.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The README advertises a write mode with an input file but gives no warning about file-modifying behavior, output locations, or overwrite risk. In an agent skill context, ambiguous write operations can lead users or calling systems to authorize filesystem changes without understanding what may be created, modified, or replaced.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal