ClawHub

Trend Harvester

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed public trend-research helper with broad trigger phrases but no executable code, credential access, persistence, or hidden high-impact behavior.

Install if you want a helper for public trend research. Use it intentionally for topics you are comfortable sending to external search/API services, and verify cited sources before relying on the report.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase "market research..." is broad and can match many ordinary user requests that are not specifically asking to invoke this skill. In an agent environment, this increases the chance of unintended skill activation, causing the agent to pull in external sources or perform multi-platform searches when the user intended a general discussion instead.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The phrase "what are people saying about..." is highly ambiguous and overlaps with common conversational requests. In a skill-routing system, this can cause accidental invocation of this skill for routine queries, leading to unnecessary external lookups, incorrect tool selection, and unpredictable behavior when another skill or a simple answer would have been more appropriate.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill description and trigger design indicate very broad activation semantics for generic requests like trend research and 'what's hot'. In an agent environment, this can cause unintended invocation on ordinary user queries, leading to unnecessary external fetching, context switching, and possible leakage of user intent to third-party services without sufficiently explicit user consent.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The listed trigger phrases are ambiguous, multilingual, and common in natural conversation, which increases the chance that the skill activates when the user did not intend to run this specific workflow. Because the skill performs cross-platform research using external sources, accidental activation can create privacy, cost, and reliability risks disproportionate to the user's original request.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal