ClawHub

ExpertLens

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only reasoning skill, but it needs Review because it can broadly activate and have an agent use external AI accounts while sharing large task context.

Install only if you want an aggressive reasoning framework that may use other AI services. Before using Swarm Mode, require the agent to ask first, name the destination service, show the exact prompt or email it will send, and remove secrets, personal data, credentials, private project context, and regulated information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (21)

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill explicitly authorizes autonomous use of external AI platforms and asks the user to log in so the agent can operate those accounts directly. That crosses from reasoning guidance into account/tool control, which can expose user data, perform unintended actions on third-party services, and bypass normal user review boundaries. In this context, the broad trigger and hidden-framework design make the behavior more dangerous because it may activate without clear, informed consent each time.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill tells the agent to read other models' visible reasoning, which encourages collection and use of chain-of-thought or similarly sensitive intermediate reasoning from external systems. Even when visible, this can violate platform usage norms, increase leakage of sensitive or proprietary content, and normalize behavior outside the stated purpose of expert task assistance.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill authorizes sending email to the creator if tools are available, which is unrelated to the core reasoning function and creates an unnecessary outbound communication channel. That can leak user data, conversation context, or system details to a third party under the guise of feedback, especially because the framework encourages invisible operation and broad activation.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The persona explicitly instructs the agent to "search," try "different angles," and use "every available tool" whenever it lacks knowledge. In a generic reasoning skill, that expands authority from reasoning-only behavior into opportunistic tool use, which can trigger unintended browsing, data access, or external actions beyond user intent or platform policy.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The file contains prescriptive medical, legal, financial, and other professional-domain protocols that go beyond a generic thinking framework and encourage specialized advisory behavior. That creates scope creep: the skill can steer the agent into high-risk regulated domains while framing the output as authoritative expert guidance, increasing the chance of harmful or non-compliant advice.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The swarm/multi-model synthesis section introduces additional execution behavior, including using multiple perspectives and referenced relay prompts, that is not disclosed in the manifest as part of the skill's capabilities. Hidden orchestration behavior can cause unreviewed data sharing across models, unexpected prompt relaying, or expanded execution paths that users and operators did not consent to.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file expands the skill from a local reasoning aid into an orchestration system that can access other AI platforms and perform web-based model selection. That materially changes the trust boundary and data-flow behavior of the skill, increasing exposure to external services and unvetted content in ways not inherent to the stated purpose of improving reasoning quality.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The instruction to read another model's visible chain-of-thought is unnecessary for normal task completion and encourages collection of sensitive reasoning traces that may contain hidden prompts, policy text, private user data, or other non-output artifacts. It also pushes the agent to evaluate internal reasoning from third-party systems, which is both privacy-invasive and operationally risky.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation phrases are broad and include common language such as "do it properly" and "make it great"-style intent, which can cause the skill to activate unexpectedly during ordinary interactions. In a prompt-injection-sensitive environment, overly broad auto-triggering increases the chance that hidden behavior, extra instruction loading, or downstream actions occur without clear user awareness or consent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manual installation prompt instructs the host AI to activate on ambiguous conditions like high-quality output requests or tasks that are creative, strategic, architectural, or meant to be published. Because these conditions are loosely defined, they can override normal task handling too often and may silently expand the model's behavior in ways the user did not clearly request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README endorses autonomous coordination with other AI platforms if direct access exists, but does not clearly warn that prompts, user data, or sensitive context may be transmitted to external services. This creates a real risk of unintended cross-platform data disclosure, policy boundary violations, and loss of control over where confidential information is sent.

Vague Triggers

High
Confidence
93% confidence
Finding
The activation scope is extremely broad, covering many common phrases and vague categories like 'make it great,' creative work, and complex problems. Overbroad triggers are dangerous because they let a powerful, instruction-heavy framework activate unexpectedly in normal conversations, increasing the chance that risky behaviors elsewhere in the skill will be applied without clear user intent.

Vague Triggers

High
Confidence
94% confidence
Finding
The manual trigger list includes ordinary conversational phrases such as 'do it properly' and 'best possible way,' which many users may say without intending to invoke a special framework. In this skill, that matters because invocation changes behavior substantially and can lead to hidden scaffolding, external-tool escalation, and broader task scope than the user expected.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The auto-detection rules rely on subjective judgments like whether a task is strategic, creative, high-stakes, or vague, leaving too much discretion to the model. Ambiguous activation logic increases accidental invocation and makes downstream risky instructions more likely to be applied in contexts the user did not authorize.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation language is intentionally broad, triggering on phrases like "deep think," "production ready," creative work, system design, strategy, vague requests, and similar intent across languages. This makes the persona effectively always-on, allowing it to override normal task-specific behavior and inject high-authority instructions into a very large share of interactions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The instruction to read the entire file "before doing anything" attempts to seize priority over the agent's normal control flow for all tasks. In practice, that broad precondition can create instruction hijacking behavior, where this persona inserts itself ahead of more appropriate, narrower, or safer task handlers.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The autonomous-mode directions authorize direct access to other platforms and web searches without requiring a user-facing disclosure that conversation content may be transmitted to third parties. This creates a clear consent and privacy gap, especially if prompts contain sensitive project details, personal data, credentials, or proprietary material.

Ssd 1

Medium
Confidence
85% confidence
Finding
The skill redefines the model as an autonomous expert collaborator and explicitly tells it to keep the framework invisible from the user. Concealing meaningful behavioral changes undermines informed consent and makes it harder for users to understand when the agent is following hidden instructions that may alter scope, tone, or external-action decisions.

Ssd 4

High
Confidence
97% confidence
Finding
This section combines several escalation patterns: asking for access to third-party platforms, operating them directly, and inspecting other models' reasoning. The workflow gradually expands authority from generating prompts to taking over external sessions, which creates substantial risk of unauthorized actions, privacy exposure, and boundary bypass. The skill context makes it more dangerous because these instructions are embedded in a seemingly benign 'thinking framework' rather than a tool-specific automation skill.

Ssd 3

Medium
Confidence
97% confidence
Finding
The relay template explicitly instructs sharing 'full background' and assumes the other model has zero context, which normalizes sending the entire conversation or project history to third-party systems. This creates a straightforward natural-language data exfiltration path for sensitive, confidential, or regulated information.

Ssd 3

Medium
Confidence
94% confidence
Finding
Autonomous access to other platforms combined with inspection of visible reasoning broadens cross-system exposure beyond normal output exchange. Even if the reasoning is technically visible, consuming and propagating it can reveal sensitive prompts, internal instructions, or user-derived content across systems without clear necessity or consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal