ClawHub

Agent Builder 5bce38

Security checks across malware telemetry and agentic risk

Overview

This skill needs review because it appears to combine unrelated RPG Maker and AP Art History instructions with broad triggers that could activate unexpectedly.

Install only if you intentionally want both sets of behavior in one skill. Prefer asking the publisher to split the RPG Maker and AP Art History content into separate skills with precise triggers and explicit language-selection behavior before using it broadly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file merges two unrelated skill purposes: one about an RPG Maker tileset tool and another about AP Art History bilingual course content. This can cause the wrong skill behavior or content to activate under unrelated requests, undermining skill integrity and making downstream routing or prompt selection unreliable.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The top-level trigger includes broad terms such as '新发售', '辅助工具DLC', and 'RPG', which are common phrases that may appear in ordinary conversation. Overbroad triggers can cause accidental activation of the skill in unrelated contexts, leading to incorrect behavior, prompt hijacking of normal requests, or unintended disclosure of irrelevant instructions.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger section activates on generic phrases like 'agent_builder' and '新发售' or when a user 'needs related help,' which lacks clear boundaries. This ambiguity increases the chance of unintended invocation and makes it easier for unrelated user requests to be captured by this skill's instructions.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The merged second skill adds another set of broad triggers, including the skill name and '中英双语,' which can overlap with many normal educational or translation requests. In combination with the mixed-purpose file, this broadens the activation surface and raises the likelihood of cross-topic misfires.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The merged content advertises bilingual behavior ('中英双语') without any documented user choice or activation preference. While not directly enabling code execution or data theft, it can change response language unexpectedly, confuse users, and increase the impact of accidental activation when combined with broad triggers and mixed skill identity.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal