ClawHub

Security Tester

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate security testing guide, but it needs review because its copyable examples could stress, alter, or probe real systems without explicit authorization safeguards.

Install only if you perform authorized security testing. Before using it, define the approved target scope, prefer staging or test accounts, review each command manually, set low request limits, and avoid destructive, SSRF, brute-force, or resource-exhaustion checks unless they are explicitly permitted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill provides concrete offensive security testing steps, including brute-force attempts, injection payloads, force browsing, and method tampering, but does not clearly require prior authorization, scope validation, rate limiting, or warnings about service disruption and legal impact. In a reusable agent skill, this omission is dangerous because it can normalize or facilitate testing against unintended targets and can cause account lockouts, data modification attempts, or operational disruption.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This reference file includes resource-consumption and SSRF test payloads that can cause service degradation, trigger cloud metadata access attempts, or probe internal services, but it does not clearly restrict their use to authorized test environments. In a security-testing skill, such content is expected, yet the lack of explicit safety constraints and disruption warnings increases the chance of misuse or accidental harm against production systems.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Brute force protection (OWASP-AT-004)
for i in $(seq 1 20); do
  STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
    -X POST "$URL/api/login" \
    -H "Content-Type: application/json" \
    -d "{\"username\":\"admin\",\"password\":\"wrong$i\"}")
Confidence
88% confidence
Finding
curl -s -o /dev/null -w "%{http_code}" \ -X POST "$URL/api/login" \ -H "Content-Type: application/json" \ -d

Credential Access

High
Category
Privilege Escalation
Content
# Command Injection (CWE-78)
CMD_PAYLOADS=(
  '; ls -la'
  '| cat /etc/passwd'
  '$(whoami)'
  '`id`'
)
Confidence
91% confidence
Finding
/etc/passwd

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal