ClawHub

finddata.skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed FindData API helper, but users should handle the required API key carefully because queries and the key are sent to FindData.

Install only if you trust FindData with your queries and FindData API key. Prefer setting FINDDATA_API_KEY as an environment variable or managed secret instead of pasting the key into chat, avoid private business or personal data in queries, and rotate the key if it is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to extract a user-provided API key from the same message and send it to an external service, but it does not clearly warn the user that their credential will be transmitted off-platform. This creates a credential-handling risk and weakens informed consent around secret disclosure to a third party.

Ssd 3

Medium
Confidence
99% confidence
Finding
The skill tells the model to pull a secret-like token from the user's natural-language message and reuse it as an HTTP header. This normalizes secret extraction from conversational text and can lead to accidental credential exfiltration, misuse of unrelated tokens in the same message, or forwarding secrets without clear user intent at execution time.

Ssd 3

Medium
Confidence
98% confidence
Finding
The setup section repeats the unsafe pattern of harvesting API keys from user messages when present. Reiterating this behavior in operational guidance increases the chance that agents will treat any odh_-looking string in chat as reusable authentication material and send it to the external endpoint.

External Transmission

Medium
Category
Data Exfiltration
Content
## Usage

```bash
curl -s -X POST https://finddata.ai/api/query \
  -H "X-API-Key: $FINDDATA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"query": "Apple stock price"}'
Confidence
95% confidence
Finding
curl -s -X POST https://finddata.ai/api/query \ -H "X-API-Key: $FINDDATA_API_KEY" \ -H "Content-Type: application/json" \ -d '{"query": "Apple stock price"}' ``` ### More examples ```bash # US

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal