ClawHub

CrowTerminal

Security checks across malware telemetry and agentic risk

Overview

CrowTerminal is a disclosed external-memory API skill, but users should treat uploaded creator analytics as sensitive third-party data.

Install only if you are comfortable sending creator or client analytics to CrowTerminal for persistent storage. Use a dedicated API key stored as a secret, avoid uploading personal or proprietary data without permission, minimize or redact data where possible, and review the provider's privacy, retention, deletion, and webhook-security practices before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs users to upload creator/platform analytics data such as retention curves and watch-time to a third-party remote service, but it provides no privacy notice, data classification guidance, consent requirements, or warning about transmitting potentially sensitive business or personal data. In the context of influencer/customer analytics, this can lead to unreviewed exfiltration of proprietary performance data or personal data to an external vendor.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documentation shows self-registration for an API key and repeated authenticated requests but does not warn users to protect the credential, avoid logging it, or store it in a secure secret manager/environment variable workflow. This omission can contribute to accidental credential exposure, especially when examples are copied into shells, scripts, CI logs, or shared notebooks.

External Transmission

Medium
Category
Data Exfiltration
Content
Push platform data we can't access via API:

```bash
curl -X POST "https://api.crowterminal.com/api/agent/data/ingest" \
  -H "Authorization: Bearer $CROWTERMINAL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
91% confidence
Finding
https://api.crowterminal.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### Webhooks (Async Notifications)

```bash
curl -X POST "https://api.crowterminal.com/api/agent/webhooks" \
  -H "Authorization: Bearer $CROWTERMINAL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
84% confidence
Finding
https://api.crowterminal.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal