ClawHub

Performance Engineering System

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only performance engineering skill with disclosed profiling and load-testing guidance that matches its stated purpose.

Install this only if you want your agent to advise on profiling, benchmarking, and load-testing workflows. Review commands before running them, prefer staging or controlled environments, only test systems you own or are authorized to test, and protect generated traces or memory snapshots because they can contain application data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README suggests very generic trigger phrases such as 'Why is this endpoint slow?' and 'Load test the API,' which can easily overlap with ordinary user requests rather than explicit invocation of the skill. In agent systems that auto-route or auto-activate skills based on prompt similarity, this can cause unintended execution of performance-engineering workflows, including profiling or load-testing guidance, when the user did not explicitly request this skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The natural-language triggers are very broad phrases such as "Profile this function" and "Why is this endpoint slow," which plausibly overlap with ordinary user requests. In agent systems that auto-route or auto-invoke skills based on trigger text, this can cause unintended invocation of a powerful performance-engineering skill, leading to inappropriate profiling, benchmarking, or optimization guidance in contexts where it was not explicitly requested.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal