ClawHub

AIScan — AI Readiness Scanner

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed website AI-readiness scanner that sends a target URL to AIScan.site and may help edit website metadata files, with no evidence of secrets, persistence, or hidden behavior.

Install this if you are comfortable sending website URLs to AIScan.site for analysis and allowing your agent to propose changes to public website metadata. Before letting it apply fixes, review the planned file edits, especially robots.txt, llms.txt, sitemap routes, .well-known files, WordPress theme snippets, or Shopify theme files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrase "run aiscan on" is broad enough to match casual user text without clearly establishing that the user wants an external website scan. That can cause the agent to invoke this skill unexpectedly, leading to unneeded outbound requests and potentially starting a workflow that proposes or performs changes based on an ambiguous prompt.

Missing User Warnings

High
Confidence
97% confidence
Finding
The instructions explicitly tell the agent to apply fixes to the user's codebase and then re-scan, but they provide no requirement to obtain user approval, present a change plan, or warn about side effects. In a code-editing environment, this can result in unauthorized or premature modifications to production-relevant files such as robots.txt, llms.txt, sitemap routes, and .well-known metadata based solely on third-party scan output.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal