ClawHub

Ai Chat Enhancer 0f5a92

Security checks across malware telemetry and agentic risk

Overview

This is a text-only tutorial note with messy trigger wording and a merged unrelated section, but it does not install code, request credentials, or perform actions.

Safe to install as a reference note, but expect possible off-topic activation because the triggers are broad. Review any Chat2API or model-sharing steps separately for provider terms and legality before acting on them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The merged section documents a second, materially different skill purpose under the same skill identity, which can cause the agent or user to invoke behavior that does not match the advertised capability. This increases the chance of unintended execution paths, confused-deputy behavior, or trust in instructions sourced from unrelated content merged into the same skill.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions are broad and generic, such as activating on users needing related help, which can cause the skill to fire in conversations where it was not explicitly requested. In a skill that references model access and sharing with others, unintended invocation could expose users to off-topic guidance, unsafe setup steps, or instructions that bypass normal trust boundaries.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest trigger string concatenates several generic phrases without clear separators or activation semantics, making matching behavior ambiguous and prone to over-triggering. This can lead to the skill being selected for ordinary discussion of Windows deployment or model names even when the user did not intend to invoke this specific skill.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The second trigger block repeats the same overly broad activation pattern for the merged content, compounding the risk that unrelated conversations about marginnote or AI help will invoke this skill unexpectedly. Because the file already mixes distinct purposes, broad triggers further increase confusion and unintended use of the wrong instructions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal