ClawHub

Skill Discovery Monitor

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it advertises, but it ships a real-looking payment API key and exposes notification, subscription, and payment controls without adequate scoping.

Review before installing. Do not use the bundled SkillPay key; treat it as exposed and require your own rotated credential. Run the service only on localhost or behind authentication, and do not expose notification, subscription, status, or payment callback endpoints until they verify callers, payment webhooks, and ownership of Telegram, Discord, and email destinations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The README embeds what appears to be a real SkillPay API key in the example .env configuration instead of a clearly fake placeholder. Publishing a live secret in documentation can enable unauthorized API usage, billing abuse, account compromise, and further pivoting if the key grants broader access.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The manifest contains a raw secret-like API key directly in a distributable skill file, which exposes credentials to anyone who can view, install, or index the package. This is especially dangerous because the skill’s declared purpose is discovery/notification, not secure credential exchange, so the embedded key is unnecessary in client-visible metadata and could be abused for unauthorized API access, billing fraud, or lateral compromise of linked services.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill exposes notification and subscription flows that collect personal contact data such as Telegram chat IDs and email addresses, but the documentation provides no privacy notice, retention policy, consent language, or description of how that data is stored and used. This creates privacy and compliance risk because users may submit identifiers and contact details without informed consent or clear handling guarantees, and operators may implement insecure or excessive data retention by default.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The configuration section lists API keys, bot tokens, webhook URLs, and SMTP credentials without any warning or guidance on secure handling. This is dangerous because users may place secrets directly in insecure files, logs, screenshots, or repositories, increasing the chance of credential leakage and unauthorized access to messaging, payment, or email infrastructure.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The code transmits discovered skill data to Telegram, Discord, and email, but there is no visible consent, destination validation, or data-minimization control in this file before sending off-system. In this context, users can provide channel details and trigger outbound delivery, which increases the risk of unintended data disclosure, misdelivery, or use of the service as an exfiltration relay if upstream data contains sensitive content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal