Test Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real ClawHub publishing tool, but it uploads local files using an embedded ClawHub API token and gives users too little control over what is sent.

Review this before installing or running it. Use only on a clean skill directory, inspect the exact files first, and avoid the published version unless the hard-coded ClawHub token is removed and replaced with your own explicit authentication plus a dry-run or confirmation step.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script enumerates local files and uploads their contents to a remote service without any explicit confirmation, dry-run preview, or warning about what will be transmitted. In a skill/publishing context, this increases the chance of accidental disclosure of sensitive local material, especially if users point --path at the wrong directory or include secrets in publishable file types.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal