ClawHub

Report Processor

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local report-processing skill, with privacy considerations around sending report text to a local Ollama service and saving extracted JSON results.

Install only if you are comfortable processing the selected reports through your local Ollama setup and saving extracted results under your home directory. Avoid using it on confidential reports unless you understand your Ollama deployment, logging, access controls, and cleanup expectations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly states that extracted report data is saved to a persistent directory under the user's home folder, but it does not disclose retention, sensitivity, access controls, or cleanup behavior. Research reports can contain proprietary or non-public financial information, so silent persistence increases the risk of unintended local data exposure, over-retention, or later access by other processes or users on the same system.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends up to 50,000 characters of report content into an external model process without explicit consent, warning, or classification checks. Even though OLLAMA_HOST is set to localhost, the design still transfers potentially sensitive financial research into another service boundary, which can create confidentiality and compliance risk depending on model configuration, logging, and deployment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal