ClawHub

Cid Tracking

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ad-tracking and reporting toolkit, but it should be used carefully because it handles ad credentials and conversion data.

Install only in a controlled environment. Keep config.json out of source control, use least-privilege and rotated ad API credentials, avoid putting IMEI or other persistent identifiers in URLs, review what conversion/order fields are sent to each ad platform, and approve any cron jobs or WeChat/DingTalk-style alert forwarding before enabling them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (11)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly instructs users to send conversion/order data to ad platforms and operational alerts to external messaging services, but it does not warn that these payloads may contain sensitive business or personal data. In this marketing attribution context, order identifiers, conversion values, CIDs, and alert contents can reveal customer behavior and commercial performance, increasing the risk of privacy leakage, accidental over-sharing, or non-compliant data transfers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly supports sending order and conversion data back to advertising platforms, but the documentation provides no warning about what data may be shared, legal/privacy implications, or the need to minimize personal data. In an ad-tracking context, this omission can lead users to transmit customer-linked purchase data to third parties without adequate consent, review, or controls.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to place access tokens and secret keys in a local configuration file and use them across multiple ad platforms, but it does not warn about secure storage, least privilege, or preventing accidental disclosure. This creates a realistic risk of credential leakage through source control, logs, shared files, or weak filesystem protections, which could enable unauthorized access to ad accounts and associated data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly recommends passing IMEI and CID in URL query parameters, which exposes persistent device/tracking identifiers in browser history, server logs, analytics tools, referrer headers, and potentially third-party systems. Even though the document later mentions privacy compliance in general, it does not place a warning or restriction near this implementation guidance, so readers may adopt a privacy-invasive pattern by default.

Unpinned Dependencies

Low
Category
Supply Chain
Content
openpyxl>=3.0.0
pandas>=1.3.0
requests>=2.25.0
matplotlib>=3.4.0
Confidence
92% confidence
Finding
openpyxl>=3.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openpyxl>=3.0.0
pandas>=1.3.0
requests>=2.25.0
matplotlib>=3.4.0
python-dateutil>=2.8.0
Confidence
92% confidence
Finding
pandas>=1.3.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openpyxl>=3.0.0
pandas>=1.3.0
requests>=2.25.0
matplotlib>=3.4.0
python-dateutil>=2.8.0
Confidence
94% confidence
Finding
requests>=2.25.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openpyxl>=3.0.0
pandas>=1.3.0
requests>=2.25.0
matplotlib>=3.4.0
python-dateutil>=2.8.0
Confidence
90% confidence
Finding
matplotlib>=3.4.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas>=1.3.0
requests>=2.25.0
matplotlib>=3.4.0
python-dateutil>=2.8.0
Confidence
90% confidence
Finding
python-dateutil>=2.8.0

Known Vulnerable Dependency: openpyxl — 2 advisory(ies): CVE-2017-5992 (Improper Restriction of XML External Entity Reference in Openpyxl); CVE-2017-5992 (Openpyxl 2.4.1 resolves external entities by default, which allows remote attack)

High
Category
Supply Chain
Confidence
95% confidence
Finding
openpyxl

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
96% confidence
Finding
requests

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal