ClawHub

Axure Prototype Generator

Security checks across malware telemetry and agentic risk

Overview

This skill openly generates JavaScript prototypes for Axure and shows no hidden data access or destructive behavior, but users should review generated code before running it.

Install only if you are comfortable with a skill that produces JavaScript for Axure previews. Before pasting generated code into Axure, check for unexpected external links, network requests, credential handling, or code unrelated to the prototype. Treat any license code as paid access information, and do not rely on the promotional download or rating claims as proof of safety.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The README advertises extremely broad invocation phrases like generic requests to build dashboards or admin systems, which increases the chance the skill is triggered in unintended contexts. Over-broad triggers can cause an agent to route ordinary user requests into a code-generating skill that emits executable HTML/JavaScript, expanding the attack surface for prompt-injection, unsafe code generation, and user confusion.

Missing User Warnings

High
Confidence
99% confidence
Finding
The README explicitly instructs users to paste generated JavaScript into Axure's JavaScript URL field and execute it, but provides no warning, sandboxing guidance, or restriction on generated code. Because the skill's core output is executable code loaded into an embedded browser/frame context, unsafe or manipulated output could execute arbitrary script, exfiltrate data, load remote resources, or perform actions the user does not understand.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs users to paste generated JavaScript into an Axure inline frame and execute it, but provides no warning that the output is active code capable of running arbitrary scripts in the preview context. This increases the risk that users treat generated output as harmless design content and execute unsafe code, enabling XSS-like behavior, data exfiltration from the Axure preview context, or unsafe external resource loading.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal