ClawHub

Terminal Command Execution@1.0.0

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only helper for terminal work; its broad command-related purpose is disclosed and paired with safety checks.

Install this only if you want the agent to help run terminal commands. Review high-impact commands carefully, especially deletion, permission changes, package installs, service starts, network operations, or anything requiring elevated privileges. VirusTotal is still pending, but the inspected artifacts are non-executable and static scan found no suspicious patterns.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The manifest description says to use the skill when users ask to run commands, inspect system state, manage files, install dependencies, start services, debug failures, or automate workflows. This is a very broad set of triggers without explicit boundaries or negative examples, increasing the chance of unintended invocation for many routine requests.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- Include exact next command only when additional user action is required.

## Safety Rules
- Avoid destructive commands by default (`rm -rf`, force resets, broad chmod/chown) unless explicitly requested.
- Never assume network, permissions, or package managers are available; test first.
- Prefer scoped operations (specific files/paths/services) over global changes.
- Keep secrets out of command output and logs.
Confidence
85% confidence
Finding
rm -rf`, force resets, broad chmod/

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal