TOSR Publish Then Update Test

Security checks across malware telemetry and agentic risk

Overview

This is a clearly labeled integration-test skill that discloses its live ClawHub publish, update, inspect, and delete lifecycle behavior.

Install or use this only if you intend to run a live ClawHub lifecycle test. Use test credentials and a disposable test slug, and confirm cleanup afterward if the test is interrupted.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly states it performs publish, update, and delete operations against the real clawhub API, but it does not prominently warn that running it will modify live remote resources. Even if intended as an integration test, this creates a real risk of unintended state changes, accidental execution in production contexts, and misuse by operators who may not realize the actions are destructive.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal