ClawHub

Content Creator

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only redirect skill for content marketing requests, with some broad reference material but no code, credential use, persistence, or hidden authority.

Install this if you want old 'content creator' prompts redirected to newer marketing skills. Review the successor skills separately before allowing publishing, analytics setup, account access, or tool execution, and ask for clarification when a content request is ambiguous.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file contains a full operational social media optimization guide, which exceeds the stated scope of a deprecated redirect-only skill. In an agent system, embedded substantive guidance can cause the skill to act outside intended routing behavior, increasing the chance of unauthorized content generation, strategy advice, or policy bypass through prompt/context leakage.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The document provides direct strategy and execution playbooks for multiple platforms, including timing, engagement tactics, analytics, crisis response, and tool recommendations, which are unnecessary for a pure redirector. This broad embedded expertise makes the skill more dangerous in context because a supposedly passive router may instead supply actionable guidance or influence downstream behavior if the content is retrieved or exposed during inference.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger guidance is broad and the default behavior is only partially specified: requests mentioning "content creator" are routed to content-production by default even though the skill description says the router should distinguish between writing and planning intents. This can cause misrouting of ordinary user requests, leading to incorrect skill selection, unexpected tool access, or degraded task handling, though it does not by itself indicate direct code execution or data exfiltration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal