ClawHub

DataHub for Multi-Domain Data

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed connector to a hosted DataHub API, and the sensitive behavior found is expected for that purpose.

Install only if you are comfortable sending your data requests and DataHub API key to datahub.codes or another base URL you explicitly configure. Avoid submitting secrets, private account data, or bounty payments unless you trust the DataHub service and understand its billing and data-use terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

External Transmission

Medium
Category
Data Exfiltration
Content
#### Examples:
```bash
# E-commerce API
node scripts/query.js "Add API supply: Amazon product search and reviews API. Documentation: https://api.example.com/docs"

# Social Media API
node scripts/query.js "Add API supply: LinkedIn company page data API. Docs: https://linkedin-api.example.com"
Confidence
50% confidence
Finding
https://api.example.com/

Session Persistence

Medium
Category
Rogue Agent
Content
- User cannot find desired data and wants to offer a bounty — instead of hitting a dead end with no alternatives

## When NOT to Use
- Local file read/write operations
- Pure computation tasks (no external data needed)
- Scenarios requiring sub-second real-time responses
- General knowledge questions not related to the supported data domains
Confidence
60% confidence
Finding
write operations - Pure computation tasks (no external data needed) - Scenarios requiring sub-second real-time responses - General knowledge questions not related to the supported data domains ## Pre

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal