ClawHub

DataEase

Security checks across malware telemetry and agentic risk

Overview

This skill matches its DataEase dashboard export purpose, but it handles live tokens and sensitive dashboard content in ways users should review before installing.

Install only if you trust the machine and DataEase instance. Use a least-privileged or short-lived DataEase account/token, keep .env private, avoid shared terminals and logs, treat exported screenshots/PDFs as confidential, and review command output for live tokens before sharing transcripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documentation states that it reads DataEase credentials from environment variables and exports dashboards/screens to files, but it does not explicitly warn about privacy, data handling, or the sensitivity of generated artifacts. Because dashboards and screenshots may contain confidential business data, silent export to local storage can lead to unintended disclosure, retention, or mishandling of sensitive information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This documentation explicitly describes handling long-lived authentication material, generating ask-tokens, and injecting `data.token` into `localStorage.user.token` for browser-based preview/export, but provides no warning about token secrecy, storage risks, browser/session leakage, or audit implications. In this skill’s context, those instructions materially enable credential misuse, cross-org access with switched context, and accidental exposure of privileged tokens through logs, screenshots, browser profiles, or automation artifacts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal