ClawHub

Visual Content Desc

Security checks across malware telemetry and agentic risk

Overview

This is a simple local helper for drafting medical image descriptions, with no evidence of hidden access, networking, persistence, or destructive behavior.

Safe to install as a lightweight drafting aid, but users should not treat it as medical image analysis or diagnosis. Provide only image features you are comfortable including in generated text, especially for patient-related material, and confirm output destinations if adapting the workflow to write files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill description is truncated and ambiguous, which can cause the skill to be selected for tasks outside its intended scope. In a medical-image context, unclear triggering increases the chance of inappropriate use, unsupported assumptions, or unsafe handling of sensitive content and local script execution.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The 'When to Use' section is broad and lacks concrete exclusion criteria, so an agent may invoke the skill for unsuitable requests simply because they loosely resemble image-description tasks. Because the skill is packaged with executable code, overbroad invocation guidance increases the risk of unnecessary code execution, incorrect medical output, or processing of sensitive files outside the user's true intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file documents local Python execution and output generation, but the user-facing guidance does not prominently warn about these side effects before use. This can lead to consent and safety issues, especially in environments handling medical or sensitive files, because an agent might run code or write artifacts without sufficiently explicit acknowledgement of those actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal