ClawHub

Content Refresher

Security checks across malware telemetry and agentic risk

Overview

This is a plain-text SEO content refresh skill whose data use and optional saved audit notes fit its stated purpose.

Safe to install for SEO/content-refresh workflows. Only connect analytics or Search Console data you intend the agent to analyze, review recommendations before changing live pages, and approve saved memory/audit notes only when they do not contain sensitive business strategy or private performance data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list contains several generic phrases such as 'refresh content', 'traffic is dropping', and 'ranking dropped' that are likely to appear in ordinary SEO or writing conversations. In agent environments that auto-route skills by trigger matching, this can cause unintended activation, leading the agent to apply this skill in broader contexts than the user intended and potentially initiate side effects like reading shared state or proposing writes to memory artifacts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to ask to save results, but elsewhere the contract already frames writing reusable summaries to memory paths as part of normal operation, which weakens clear consent boundaries. In shared-agent or persistent-workspace settings, this can result in user data, business URLs, audit conclusions, or strategic notes being stored in long-lived memory files without an upfront, explicit warning at skill start.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal