ClawHub

Nm Conjure Delegation Core

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent external-LLM delegation guide, but users should be careful about what data they send to Gemini, Qwen, or related services.

Install only if you intend to route selected work to external LLM services. Before using it, confirm that prompts, files, and saved outputs do not contain secrets, personal data, proprietary material, or security-sensitive code unless you have explicit approval and suitable handling controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase set is broad enough to activate this skill in many ordinary contexts, including generic task-management or quality-control scenarios. Because the skill routes work to external LLMs, overbroad activation increases the chance that sensitive user data is delegated unintentionally without a deliberate opt-in step.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill repeatedly recommends delegating work to Gemini or Qwen but does not include an explicit warning that prompts, files, or contextual data may be transmitted to third-party services. In a delegation skill, this omission is security-relevant because users may unknowingly expose secrets, proprietary code, or regulated data during normal use.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guidance explicitly recommends capturing and saving full output from an external model for audit purposes, but it does not include any guardrails around redaction, minimization, retention, or user notice. In a delegation framework, external-model outputs can contain sensitive prompts, proprietary code, personal data, or generated secrets, so storing them wholesale increases privacy and data-retention risk if logs are later accessed, retained too long, or reused insecurely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal