ClawHub

技术讨论管理和沉淀

Security checks across malware telemetry and agentic risk

Overview

This skill is a local documentation helper that saves technical discussions and can optionally create Git commits and tags when asked.

Install this only in workspaces where you want discussion notes saved to disk. Avoid recording secrets in discussions, review generated markdown before sharing, and check git status/staged files before allowing the optional version-recording flow to commit or tag.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example shows the agent automatically creating and updating local files as part of normal interaction, but provides no warning, consent step, or indication that workspace files will be modified. In an agent setting, normalizing silent writes can cause unintended changes to user repositories or local documentation, especially if users interpret the flow as discussion-only rather than state-changing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This example depicts generating documents and creating a code directory as an automatic continuation of the workflow, again without warning that the agent will modify the workspace. That is risky because users may trigger broad file and directory creation from conversational commands like '开始开发' without understanding the side effects, which can pollute repositories or overwrite expected project structure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Git example normalizes repository state changes, including version recording and tag creation, without warning or confirmation. Git tags are durable project artifacts and can affect release workflows, CI/CD, and team processes, so creating them from conversational input without explicit consent is a meaningful integrity risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal