ClawHub

Add Flashcard 4c0314

Security checks across malware telemetry and agentic risk

Overview

This is a simple tutorial-style skill with no executable code, dependencies, persistence, or sensitive access, though its activation phrases are broader than ideal.

Safe to install for learning purposes. Be aware it may activate on vague phrases like "53"; users or maintainers should prefer a more specific trigger such as a geography-flashcard image tutorial phrase.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases include highly generic terms like "53" and a common functional phrase like "add-flashcard", which can cause the skill to activate during unrelated user conversations. This creates unintended invocation risk, where the agent may route requests to the wrong skill and produce irrelevant or misleading behavior.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The manifest trigger string "add-flashcard / 53 / Build / Geography" is underspecified and includes the generic numeric token "53", making accidental activation likely. In agent systems, ambiguous manifest triggers can cause skill collision and misrouting, especially when numbers or common words appear in unrelated requests.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The merged trigger section repeats the same vague activation design, again allowing generic terms like "53" and the skill name to trigger execution too broadly. Duplicating weak triggers increases the chance of unintended activation and makes maintenance harder because the ambiguity exists in multiple places.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal