ClawHub

Skill Publish Vetter

Security checks across malware telemetry and agentic risk

Overview

This is a useful local pre-publish scanner, but it can paste detected secrets and private details into the chat transcript.

Install only if you are comfortable with scan findings appearing in the agent conversation. Prefer using a redacted summary or inspecting full results locally, especially when scanning directories that may contain real tokens, passwords, .env files, personal paths, emails, or internal network details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly requires outputting the complete scan report to chat even though the scan is designed to detect secrets, credentials, personal emails, paths, and internal IPs. That creates a direct data-exposure path where sensitive findings are echoed back into the conversation, logs, or downstream integrations.

Ssd 3

High
Confidence
99% confidence
Finding
Pasting the complete privacy scan report into chat can disclose the exact secrets and personal data that the scan found, defeating the privacy purpose of the skill. In many systems, chat content is retained, indexed, or visible to other tools, amplifying the impact of accidental leakage.

Ssd 3

High
Confidence
99% confidence
Finding
The mandatory confirmation template hard-requires inclusion of the full scan report, which institutionalizes disclosure of detected secrets as part of the publish flow. This makes exposure repeatable and likely whenever risky content is found, especially in exactly the cases where privacy protection matters most.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal