ClawHub

rubric-gap-analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple rubric helper that reads the Mac clipboard when invoked, but users should avoid running it with unrelated sensitive clipboard contents.

Install only if you are comfortable with the skill reading your current Mac clipboard. Before using it, copy only the rubric or assignment text you want analyzed, and do not run it while passwords, API keys, private notes, or unrelated confidential content are on the clipboard.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script reads the entire system clipboard and prints it to stdout, which can expose unrelated sensitive data such as passwords, personal messages, API keys, or proprietary text. For a skill described as analyzing rubric/assignment gaps, silently pulling from the clipboard is broader than necessary and increases the chance of collecting data the user did not intend to share.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to read from the system clipboard, but the user-facing description and usage text do not clearly warn that clipboard contents will be accessed. This can cause unintended exposure of sensitive data if the clipboard contains passwords, API keys, personal data, or unrelated confidential text when the skill is triggered.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
After reading the clipboard, the script immediately outputs the captured text between markers with no warning, preview, or consent step. This can leak sensitive clipboard contents into logs, terminal history, agent transcripts, or downstream systems, especially if the clipboard contains data unrelated to the rubric task.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal