ClawHub

Ai Agent 441222

Security checks across malware telemetry and agentic risk

Overview

This is a text-only, low-impact AI-agent guide skill, but its triggers and content are broad, duplicated, and somewhat promotional.

Install only if you want a loose Chinese-language AI-agent learning note assembled from video sources. Expect noisy, repeated, and promotional content, and be aware it may activate on broad phrases like “AI Agent” unless your skill runner requires explicit invocation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger section activates on highly generic phrases like "AI Agent" and broad help requests, which can cause the skill to be invoked during ordinary unrelated conversations. In a skill system, overbroad activation increases the chance of unintended routing, prompt/context pollution, and user confusion, especially because this file has multiple merged sections that amplify the same behavior.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manifest trigger string contains broad marketing-style phrases that are not specific enough to safely distinguish this skill from normal discussion of AI agents. Because manifest triggers are often used for automatic matching, ambiguous strings can cause accidental invocation and unintended exposure of this skill's content in unrelated sessions.

Vague Triggers

Medium
Confidence
94% confidence
Finding
This merged trigger block repeats vague patterns such as generic requests for help related to the skill, which are too broad to serve as safe activation criteria. Repetition across merged content makes accidental triggering more likely and suggests the file has not been curated to enforce least-privilege activation.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger section uses generic promotional phrases such as API recommendation wording that could easily appear in ordinary conversation or unrelated content. This creates ambiguous invocation criteria and may route users into this skill unexpectedly, which is riskier here because the document is composed of auto-merged, low-trust external content.

Vague Triggers

Medium
Confidence
94% confidence
Finding
This repeated trigger block continues the same pattern of broad help-based activation without any limiting conditions, raising the probability of false activation. In aggregate with other duplicated sections, it increases attack surface for context hijacking and makes system behavior less predictable.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The final trigger section still relies on ambiguous phrases that overlap with common speech, so the skill can activate when users are not intentionally requesting it. Because the file repeatedly merges externally sourced fragments, accidental invocation could surface low-quality or unreviewed guidance to users.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal