ClawHub

Community Growth Engine

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only community strategy skill; its moderation, outreach, and metrics advice is disclosed and fits its purpose, with privacy checks left to the user.

Safe to install as an advisory skill. Before applying its moderation, re-engagement, monetization, or health-metrics advice, keep human approval for member-impacting actions such as DMs, mutes, bans, reports, and pricing changes, and verify privacy laws, consent expectations, retention practices, and each platform's terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill exposes very broad natural-language commands such as "Handle [situation]" and "Design my community" without explicit input boundaries, guardrails, or confirmation steps. In an agent setting, this can cause overbroad activation, unintended execution paths, or the generation of advice/actions for sensitive moderation, outreach, monetization, or member-handling scenarios from underspecified prompts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The re-engagement and behavior-monitoring playbooks rely on tracking member activity patterns such as message frequency, reactions, event attendance, and notification behavior, then using that data for direct outreach. Although framed as community operations, the skill does not pair these workflows with clear consent, notice, minimization, or retention guidance, creating privacy and compliance risk if deployed as-is.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal