ClawHub

Breakthrough Thinking

Security checks across malware telemetry and agentic risk

Overview

This is a reasoning-workflow skill with broad auto-triggers, but it does not show code execution, data access, persistence, or hidden behavior.

Install only if you are comfortable with a skill that may activate on ordinary retry or frustration phrases. Prefer explicit invocation or narrow the trigger phrases if your OpenClaw setup allows it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill defines auto-trigger phrases such as “continue,” “rethink,” and “try another way,” which are common conversational phrases and can cause the skill to activate in many unrelated contexts without clear user intent. Because the skill is designed to override normal interaction flow and execute immediately when these phrases or vague 'stuck' heuristics appear, it can unexpectedly alter agent behavior, bypass user confirmation, and create prompt-routing instability across ordinary chats.

Vague Triggers

High
Confidence
97% confidence
Finding
The skill includes broad auto-trigger phrases such as 'continue', 'try another way', and similar generic retry language, then instructs the agent to invoke the skill immediately without asking the user. This can cause unintended activation during normal conversation and override more appropriate safety or clarification behavior, especially because triggering is mandatory rather than advisory.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The implicit trigger conditions are subjective and underspecified, such as 'AI stuck', 'too early', or 'no new evidence for >1 iteration', which gives the agent excessive discretion to self-activate. Ambiguous autonomy rules are dangerous because they can unpredictably alter agent behavior without clear user consent or auditable thresholds.

Vague Triggers

High
Confidence
98% confidence
Finding
The English trigger list contains everyday phrases like 'try another way', 'try harder', and 'don't give up' with no contextual guardrails, making accidental invocation likely in benign chats. Because the skill mandates immediate triggering on any match, this creates a prompt-routing vulnerability where routine user language can force a different execution policy.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal