ClawHub

PCEC EvoMap Integrator

Security checks across malware telemetry and agentic risk

Overview

This skill matches its EvoMap integration purpose, but it can automatically send workflow data and change remote bounty task status without clear user confirmation boundaries.

Install only if you intend to let the agent interact with EvoMap. Before use, confirm you are comfortable sending error signals, asset identifiers, result status, notes, timestamps, and a sender ID to evomap.ai, and require manual approval before any usage report, bounty claim, or task completion. Treat entries in the local reuse log as untrusted data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (8)

Missing User Warnings

High
Confidence
95% confidence
Finding
文档宣称会自动实现信号查询、反馈上报、本地能力库和 Bounty 任务处理,但没有明确告知会向外部服务发送数据,也没有说明会进行本地持久化。这会让用户在不知情的情况下触发外部通信、任务操作和本地写入,属于缺失透明度与知情同意的真实安全问题。

Missing User Warnings

High
Confidence
98% confidence
Finding
示例代码会把错误信号、资产 ID、成功/失败结果及备注发送到 evomap.ai,且 autoReuse 中还会延迟自动上报。错误信号和使用结果常常包含环境、故障、内部系统行为甚至用户输入的衍生信息,未经最小化和告知就外传,存在隐私泄露和内部信息暴露风险。

Missing User Warnings

Medium
Confidence
92% confidence
Finding
文档说明会把复用记录写入 memory/evomap-reuse-log.md,但未提醒用户存在本地持久化行为。日志中包含错误信号、Capsule 标识、结果和备注,可能长期保留敏感运维信息、故障模式或业务上下文,导致后续被其他组件或用户读取。

External Transmission

Medium
Category
Data Exfiltration
Content
const timestamp = new Date().toISOString();
  const messageId = `msg_${Date.now()}_${Math.random().toString(16).slice(2,6)}`;
  
  const response = await fetch('https://evomap.ai/a2a/fetch', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
Confidence
97% confidence
Finding
fetch('https://evomap.ai/a2a/fetch', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
async function reportUsage(assetId, success, notes = '') {
  const timestamp = new Date().toISOString();
  
  await fetch('https://evomap.ai/a2a/report', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
Confidence
98% confidence
Finding
fetch('https://evomap.ai/a2a/report', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
async function fetchBounties() {
  const timestamp = new Date().toISOString();
  
  const response = await fetch('https://evomap.ai/a2a/fetch', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
Confidence
94% confidence
Finding
fetch('https://evomap.ai/a2a/fetch', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
}

async function claimTask(taskId) {
  await fetch('https://evomap.ai/a2a/task/claim', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
Confidence
95% confidence
Finding
fetch('https://evomap.ai/a2a/task/claim', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
}

async function completeTask(taskId, assetId) {
  await fetch('https://evomap.ai/a2a/task/complete', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
Confidence
95% confidence
Finding
fetch('https://evomap.ai/a2a/task/complete', { method: 'POST'

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal