ClawHub

Nm Imbue Proof Of Work

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill promotes stricter validation before claiming work is done, with ordinary caution needed around command outputs and evidence logs.

Install this if you want stricter done-gates and evidence-backed completion claims. Review commands before allowing them to run, avoid unnecessary global installs or unpinned latest-version executions, and redact secrets, account IDs, environment variable values, API responses, and private paths before storing or sharing evidence logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes very generic terms such as 'validation', 'testing', 'proof', and 'acceptance-criteria', which are likely to appear in many ordinary development conversations. This can cause the skill to activate outside its intended scope, leading to unsolicited procedural steering or workflow interference across unrelated tasks. In context, the skill is not directly executing dangerous actions, but broad activation increases the attack surface for prompt injection and accidental policy override via unnecessary skill invocation.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The guidance recommends authentication/credential validation commands such as `gh auth status` and `aws sts get-caller-identity` without warning that their output can reveal account identity, active session details, or environment-specific metadata that may be copied into evidence logs. In a proof/validation skill that explicitly instructs users to capture command output, this increases the chance of inadvertent disclosure of sensitive operational details.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal