ClawHub

SecureVibes Scanner

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed security-scanning skill whose powerful behaviors are mostly expected for its purpose, but users should enable external scans and cron monitoring deliberately.

Before installing, verify that you trust the securevibes CLI package and understand which Anthropic account or API key it will use. Only scan repositories and web targets you are authorized to test, and create the cron job only when you intentionally want ongoing background monitoring that writes .securevibes state and reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The manifest description is very broad and can activate on many normal security-related requests, including scanning, review, threat modeling, and continuous monitoring. Because the skill also enables shell commands, cron setup, file modification, and optional networked DAST, overbroad activation increases the chance the agent invokes a powerful skill in contexts where the user did not intend those side effects.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The request-to-action mappings use vague phrases such as 'Scan this for security issues' and 'Quick security check' that overlap with ordinary user language, then map them directly to command execution. In this skill's context, that is more dangerous because the mapped actions can trigger shell execution, persistent cron-based monitoring, repository changes, and DAST traffic without a separate intent-verification step.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal