ClawHub

Nm Pensive Architecture Review

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only architecture review skill that guides repository analysis and does not show hidden execution, persistence, exfiltration, or destructive behavior.

Install this if you want an agent to analyze architecture and dependencies in the repository where you invoke it. Review suggested shell commands before running them, and separately evaluate the referenced external Night Market or Claude Code plugin if you choose to install it, because that plugin is not covered by these markdown artifacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs the agent/user to run shell commands (`pwd`, `git status -sb`) and includes troubleshooting guidance about PATH, permissions, and verbose execution. For an architecture-review skill, these operational instructions expand behavior beyond passive review and normalize command execution, which increases the chance of unnecessary environment interaction or privilege-related actions if invoked automatically by an agent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The triggers include broad terms such as `design`, `patterns`, and `principles`, which are common in many unrelated conversations. This can cause unintended invocation of the skill in contexts where architecture review was not requested, increasing the likelihood that its command-oriented workflow and module-loading instructions are applied unexpectedly.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal