ClawHub

Frontend Design Agency

Security checks across malware telemetry and agentic risk

Overview

This is a German-language frontend design workflow skill with local reference assets and no evidence of hidden access, persistence, exfiltration, or destructive behavior.

Install this if you are comfortable using a German-language frontend design workflow. If you run the optional evaluation assets, choose an approved LLM/provider yourself and avoid sending confidential project prompts to third-party models without consent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The file explicitly instructs the evaluator to run each judge prompt through specific external LLMs ('Claude/GPT') without any indication of user consent, configurability, or policy checks. In a skill-evaluation pipeline, this can cause unauthorized routing of potentially sensitive prompt content to third-party models and can override user or platform model-selection constraints.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The evaluation prompt is written in German without any language choice, which can cause the agent or evaluator to operate in an unintended language context and misunderstand requirements. In a judge/evaluation workflow, this degrades reliability, creates inconsistent outputs, and may unfairly bias results when the surrounding system or user expects English or locale-neutral behavior.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The embedded skill content is entirely German-language and implicitly requires German comprehension without user opt-in. Because this file is used to judge skill behavior, the hidden locale assumption can distort security review or functional evaluation by causing the model to privilege German-only operation, miss nuances, or fail for users and systems not prepared for that language.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal