Skill Seo

Security checks across malware telemetry and agentic risk

Overview

This skill appears to help authors improve ClawHub skill discoverability and publishing, with no artifact-backed evidence of hidden or malicious behavior.

Install only if you want help improving and publishing ClawHub skill metadata. Before letting it run any `clawhub publish` step, review the generated description, tags, and version details yourself, since publishing changes public platform state.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The manifest description packs many broad, user-like trigger phrases such as 'get more downloads', 'skill marketing', and 'why no one finds my skill' into the indexed description. In a skill-routing or vector-search system, this can make the skill match overly broad queries and be invoked when the user did not specifically ask for SEO optimization, creating prompt-squatting and unintended invocation risk.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The guidance explicitly recommends generic trigger stems like 'how do I...', 'I want to...', and 'can my agent...' without requiring domain qualifiers. That teaches authors to capture highly common natural-language patterns that can collide with unrelated user requests, increasing the chance this skill is selected opportunistically by an agent or discovery system.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal