ClawHub

OKR & Strategy Execution Engine

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only OKR planning skill with no code execution, credential use, persistence, or external data handling.

Safe to install as a strategy and OKR planning aid. Be aware it may respond to broad planning language, so review its advice before using it for resource allocation, performance discussions, or company strategy decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The quick-start section uses very broad natural-language triggers such as "Set OKRs for Q2," "Run quarterly planning," and related goal-setting phrases without defining tighter activation boundaries. In an agent ecosystem, broad triggers can cause unintended invocation in loosely related conversations, which may lead the agent to apply this skill when the user did not explicitly request structured OKR behavior, reducing predictability and increasing prompt-surface risk.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes broad phrases such as "prioritize," "alignment," and "what should we focus on," which can match many ordinary business conversations outside a clear OKR context. This can cause the skill to activate opportunistically, overriding more appropriate domain skills or injecting strategic-planning guidance into unrelated workflows, increasing prompt-routing and context-confusion risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal