ClawHub

Customer Support Operations Engine

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-style customer support operations guide with no evidence of hidden execution, data theft, or destructive behavior.

Reasonable to install if you want customer-support planning templates and operational guidance. Be aware that it contains promotional links and broad command examples, so review outputs for relevance if your agent auto-selects skills based on ordinary workplace phrases.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill exposes very broad natural-language triggers such as "Assess our support function" that are close to ordinary user requests and can be matched outside a clearly scoped invocation flow. In an agent environment with automatic skill selection, this can cause unintended activation, routing user input into this skill when the user did not explicitly mean to invoke it, creating prompt-scope confusion and increasing the chance of inappropriate instructions or commercial content being injected into otherwise normal conversations.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger "Set up ticket management" is underspecified and generic enough to overlap with common workplace requests, so the skill may activate during unrelated conversations about project tickets, IT ticketing, or issue tracking. Because this skill contains extensive operational guidance and promotional links, accidental activation broadens its influence over agent behavior and can steer outputs in ways the user did not explicitly request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal