ClawHub

Poc Validator

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for vulnerability replay, but it forwards sensitive request data and disables HTTPS certificate checks by default, so it needs review before use.

Install only if you understand it is a dual-use security testing helper. Use it only on systems you are authorized to test, strip Cookie, Authorization, API keys, CSRF tokens, and private body fields unless using controlled test credentials, and be aware that HTTPS certificate validation is disabled by default in the replay script.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The workflow explicitly instructs passing raw headers, including Cookie and User-Agent, into a replay script without warning that these may contain session tokens, API keys, or identifying data. Because the skill is designed to replay malicious payloads against targets, it increases the chance of forwarding live credentials to external systems or using them in unauthorized vulnerability verification, which can lead to account compromise or unauthorized access.

Context Leakage

High
Category
Data Exfiltration
Content
for pattern in error_patterns:
        match = re.search(pattern, text, re.IGNORECASE)
        if match:
            # Extract context around the error (200 chars before, 800 after)
            start = max(0, match.start() - 200)
            end = min(len(text), match.end() + 800)
            return f"...{text[start:end]}..."
Confidence
91% confidence
Finding
Extract context

Unsafe Defaults

Medium
Category
Tool Misuse
Content
if args.method.upper() == "POST":
            if "Content-Type" not in headers:
                headers["Content-Type"] = "application/x-www-form-urlencoded"
            response = requests.post(args.url, data=args.data, headers=headers, verify=False, proxies=proxies, timeout=15)
        else:
            response = requests.get(args.url, params=args.data, headers=headers, verify=False, proxies=proxies, timeout=15)
Confidence
97% confidence
Finding
verify=False

Unsafe Defaults

Medium
Category
Tool Misuse
Content
headers["Content-Type"] = "application/x-www-form-urlencoded"
            response = requests.post(args.url, data=args.data, headers=headers, verify=False, proxies=proxies, timeout=15)
        else:
            response = requests.get(args.url, params=args.data, headers=headers, verify=False, proxies=proxies, timeout=15)
            
        snippet = extract_error_snippet(response.text)
Confidence
97% confidence
Finding
verify=False

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal