ClawHub

Performance Reporter

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only SEO/GEO reporting helper with disclosed optional data and memory use, and no evidence of hidden execution or data theft.

Safe to install for SEO/GEO reporting. Use read-only, domain-scoped analytics or SEO integrations where possible, review any generated memory summary before approving saves, and be aware that broad trigger phrases like generic monthly reports may route unrelated reporting requests into this skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger set includes broad English phrases such as 'performance report', 'traffic report', and 'report to my boss' that can match many ordinary business requests outside SEO/GEO reporting. In a skill-routing system, this can cause unintended activation, leading the agent to pull the wrong workflow, produce irrelevant outputs, or read/write monitoring memory inappropriately for requests that were not meant for this skill.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Several non-English triggers are highly generic, including phrases equivalent to 'dashboard', 'monthly report', 'weekly report', and 'report to my boss', which are common across many unrelated business tasks. Because this skill also supports saving results and promoting items into shared memory/open loops, accidental invocation in multilingual environments increases the risk of workflow confusion, irrelevant reporting, and unintended state changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal