ClawHub

Api Tester

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate API testing helper, but it needs review because it can send arbitrary outbound requests and includes under-disclosed hardcoded network checks.

Review the code path that runs when the skill is executed directly, especially the hardcoded google.com and example.com requests. Install only if you are comfortable with an API helper that can send any headers and payloads the agent provides, and avoid using real tokens or sensitive data except with endpoints you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The CLI/test entry point makes unsolicited outbound requests to third-party domains (google.com and example.com) that are unrelated to the core request helper’s stated purpose. This creates unnecessary external data flows, can leak execution metadata such as IP address and environment/network reachability, and may violate expectations or network policy when the skill is run in restricted or sensitive environments.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill is explicitly designed to send HTTP/HTTPS requests with arbitrary headers and JSON bodies, which can include credentials, tokens, or sensitive application data. Although this is expected functionality for an API client, the documentation does not warn users about external data transmission risks, making accidental secret leakage more likely.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill performs external connectivity checks without clear disclosure in the skill description or interface, so users may trigger outbound traffic they did not intend. Even though the requests are simple, undisclosed network behavior reduces transparency and can cause compliance, privacy, or policy issues in environments where external egress is monitored or prohibited.

External Transmission

Medium
Category
Data Exfiltration
Content
const api = require('skills/api-tester');
const payload = { key: 'value' };
const headers = { 'Authorization': 'Bearer <token>' };
const result = await api.request('POST', 'https://api.example.com/submit', headers, payload);
```

### Return Format
Confidence
80% confidence
Finding
https://api.example.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal