ClawHub

Ai Adoption Readiness

Security checks across malware telemetry and agentic risk

Overview

This is a text-only AI readiness assessment skill that asks for business context but does not show hidden code execution, credential use, persistence, or destructive behavior.

Safe to install based on the reviewed artifacts. Use high-level or anonymized business details where possible, and do not provide credentials, customer data, regulated data, exact confidential budgets, internal security details, or proprietary strategy unless you intentionally want the agent to process that information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation guidance is broad enough that the skill could be triggered in loosely related contexts such as vendor qualification, business case generation, or general AI planning without strong scope checks. That increases the chance the agent elicits or processes unnecessary internal business details, produces overconfident readiness assessments from partial data, or is used outside its intended pre-change-assessment workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill prompts for organization name, tech stack, budget, blockers, and department scope, all of which can contain sensitive commercial, security, or operational information, but it provides no privacy warning, minimization guidance, or restriction against secrets. In practice, users may overshare confidential internal data, credentials, customer information, or regulated business details because the prompt normalizes broad disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal