ClawHub

Home Design

Security checks across malware telemetry and agentic risk

Overview

This is a coherent home-design helper, but users should treat construction outputs as drafts and be careful with private household details and API keys.

Install only if you are comfortable using it as a planning aid. Redact addresses and identifying household details from floor plans and prompts, keep API-key config files private and out of version control, review third-party image-service privacy terms, and have any wiring, plumbing, structural, or construction plans checked by qualified local professionals before buying materials or starting work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (15)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide explicitly shows API keys being stored in JSON configuration files but does not warn that these secrets must be protected, excluded from version control, and rotated if exposed. In a practical workflow, users often copy examples directly, so this can lead to accidental credential leakage through repos, shared files, backups, or logs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide explicitly pushes users toward third-party online services and instructs them to register or log in, including via social accounts, but provides no warning about privacy, data retention, prompt logging, or data-sharing practices. In the context of a skill that may generate and upload user-created prompts or design-related content, this can expose personal data, proprietary project details, or account-linked metadata to external providers without informed consent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are very broad and overlap with ordinary home-improvement questions, which can cause the skill to activate in contexts where users did not explicitly request detailed renovation or construction guidance. That increases the chance of unintended disclosure, over-automation, and unsafe reliance on generated building or electrical advice.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill offers to generate full construction drawings, wiring layouts, plumbing layouts, and material lists without a clear requirement for review by a licensed architect, contractor, or electrician/plumber before real-world use. In this context, users may treat the output as build-ready guidance, creating a realistic risk of unsafe construction, code violations, property damage, or bodily harm.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill asks users to upload floor plans and CAD files but does not warn that these documents may contain sensitive personal information such as addresses, unit numbers, ownership details, or security-relevant room layouts. This omission can lead users to share more identifying or sensitive building data than necessary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This template explicitly solicits personal and household data, including household composition, children, pets, special needs, and later contact information, but provides no notice about why the data is collected, how it will be stored, who can access it, or how long it will be retained. In a skill context, collecting this level of sensitive profile data without privacy disclosures or minimization increases privacy and misuse risk even if no overt exfiltration logic is present.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This code sends user-supplied prompts to a third-party API (OpenAI image generation) without any explicit consent flow, warning, or data-handling notice. In this skill context, prompts may contain sensitive design details, personal information, or proprietary project data, so silent remote transmission can cause unintended data disclosure.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This function transmits prompts and related generation parameters to the external LiblibAI service without clearly informing the user. In a content-generation workflow, prompts can embed private room descriptions, client requirements, or confidential business information, making undisclosed third-party transmission a real privacy risk.

External Transmission

Medium
Category
Data Exfiltration
Content
}
    
    try:
        response = requests.post(
            "https://api.openai.com/v1/images/generations",
            headers=headers,
            json=payload,
Confidence
83% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
}
    
    try:
        response = requests.post(
            "https://api.liblib.ai/v1/generate",
            headers=headers,
            json=payload,
Confidence
84% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
}
    
    try:
        response = requests.post(f"{sd_url}/sdapi/v1/txt2img", json=payload, timeout=120)
        response.raise_for_status()
        result = response.json()
Confidence
80% confidence
Finding
requests.post(f"{sd_url}/sdapi/v1/txt2img", json=

External Transmission

Medium
Category
Data Exfiltration
Content
}
    
    try:
        response = requests.post(
            "https://api.openai.com/v1/images/generations",
            headers=headers,
            json=payload,
Confidence
83% confidence
Finding
requests.post( "https://api.openai.com/v1/images/generations", headers=headers, json=

External Transmission

Medium
Category
Data Exfiltration
Content
}
    
    try:
        response = requests.post(
            "https://api.liblib.ai/v1/generate",
            headers=headers,
            json=payload,
Confidence
84% confidence
Finding
requests.post( "https://api.liblib.ai/v1/generate", headers=headers, json=

External Transmission

Medium
Category
Data Exfiltration
Content
try:
        response = requests.post(
            "https://api.openai.com/v1/images/generations",
            headers=headers,
            json=payload,
            timeout=120
Confidence
82% confidence
Finding
https://api.openai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
try:
        response = requests.post(
            "https://api.liblib.ai/v1/generate",
            headers=headers,
            json=payload,
            timeout=120
Confidence
82% confidence
Finding
https://api.liblib.ai/

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal