ClawHub

Decision Engine

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only decision-support skill with broad trigger phrases, but it does not request system access, credentials, persistence, or external actions.

Installers should treat this as a structured thinking aid, not a substitute for accountable legal, financial, medical, or executive judgment. In agents that auto-activate skills, prefer explicitly invoking it by name when you want Decision Engine applied, because some trigger phrases are intentionally broad.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The invocation phrase 'Help me decide whether to [your decision]' is extremely broad and overlaps with normal user language, making accidental or unintended triggering plausible. In agent environments where skills auto-activate based on natural-language matching, this can cause the skill to engage in contexts the user did not intend, potentially steering decisions, exposing context to the skill, or interfering with higher-priority workflows.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill defines activation phrases such as 'Help me decide [X]', 'What am I missing?', and 'Score this decision' using broad, natural language patterns that users may say in ordinary conversation. In agent systems that route to skills by trigger matching, these generic phrases can cause unintended invocation, leading the decision framework to engage in contexts where the user did not explicitly request this skill.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal