ClawHub

Chief Creative Officer

Security checks across malware telemetry and agentic risk

Overview

This creative brainstorming skill fits its stated purpose, but it needs review because it tells user preference text to override system instructions and stores/shares full brainstorming notes by default.

Install only if you are comfortable with a workflow that records brainstorming details in wiki documents and shares them with configured LLM tools. Do not use it for confidential strategy, regulated data, or sensitive personal information unless you can control retention and redaction, and do not allow the user-preferences placeholder to override higher-priority system or safety instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill is broadly defined as a generic chief creative officer agent and lacks clear trigger boundaries, allowed task categories, or explicit prohibitions. That makes it easy to invoke for unrelated requests and increases the chance it will apply external search, delegation, and persistent logging to sensitive or inappropriate tasks without adequate safeguards.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The workflow mandates creating and continuously appending to wiki documents that contain the full challenge, assignments, model outputs, and summaries, but gives no warning that this content will be persistently stored. Users may reasonably assume brainstorming is ephemeral, so mandatory durable logging can expose proprietary ideas, internal strategy, or personal data beyond user expectations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The workflow mandates creating and continuously appending to wiki documents that contain the full challenge, assignments, model outputs, and summaries, but gives no warning that this content will be persistently stored. Users may reasonably assume brainstorming is ephemeral, so mandatory durable logging can expose proprietary ideas, internal strategy, or personal data beyond user expectations.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill requires preserving the entire brainstorming record and, in some cases, 'strictly forbidden' removal of details, then submitting both the final proposal and full meeting minutes. This prevents data minimization and can unnecessarily propagate all user inputs and intermediate model outputs, increasing the blast radius of any sensitive, regulated, or proprietary information included during the session.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal