ClawHub

policy-application-checker

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward checklist helper that may write a local checklist file, with no evidence of hidden network access, credential use, or destructive behavior.

Install if you want help turning policy or application requirements into structured submission checklists. Treat the input materials as sensitive, run the helper only on files you choose, and pass an explicit output path instead of relying on the default checklist.md when working in a directory with existing files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill explicitly references a local script and a resource used to generate structured outputs, which implies file read/write capability, yet no permissions are declared in the manifest. This creates a trust and review gap: operators may approve the skill believing it is non-file-touching when it can read inputs and write generated artifacts, increasing the chance of unintended data access or unsafe execution in permissive runtimes.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example includes broad activation phrases such as '检查材料是否齐全', 'application checklist', and 'submission readiness' without clear scoping or routing constraints. This can cause the skill to trigger on ordinary user requests that merely mention checklists or readiness, leading to unintended invocation, context confusion, or misuse of the skill outside its intended policy/application review workflow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal