ClawHub

Nm Conserve Bloat Detector

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only codebase bloat review skill; it can suggest deletions, but its artifacts disclose that changes require approval and provide safety checks.

Install only if you want an agent to analyze your repository for bloat and propose cleanup. Review any DELETE, ARCHIVE, or auto-approval settings carefully, keep dry-run or preview mode enabled, and require tests or CI before accepting code-removal changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase "cleanup" is overly broad and can cause the skill to activate during routine maintenance or refactoring requests that are not specifically about bloat analysis. In an agentic environment, broad triggers increase the chance of inappropriate skill loading, unnecessary context injection, and unintended guidance that can steer workflows away from the user's actual task.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrase "optimization" is vague and overlaps with many unrelated requests, including performance tuning, cost reduction, or algorithmic improvement. This can cause the skill to be invoked outside its intended scope, leading to misapplied recommendations and unnecessary expansion of model context.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation condition "codebase feels large or before a release" is ambiguous, subjective, and not machine-precise. Ambiguous triggers make activation unpredictable, which increases the likelihood of accidental invocation and inconsistent behavior across users and agent implementations.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The module produces a strong 'DELETE' recommendation and later suggests creating a cleanup PR from HIGH-confidence signals, but it does not pair that guidance with an explicit warning about destructive changes, validation requirements, or rollback safeguards. In an agent setting, this can normalize or automate removal of files based on heuristics, increasing the chance of accidental data loss or deletion of still-needed code, docs, or operational artifacts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal