ClawHub
Back to skill

Security audit

Nm Leyline Progressive Loading

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for loading skill modules efficiently, with no executable installer or hidden data handling found.

Installers should treat this as authoring guidance, not a turnkey runtime. Review the broad triggers if you are sensitive to accidental activation, and keep any caching, telemetry, git mutation, publishing, or service-management patterns explicit and user-controlled when adapting the examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger list contains broad terms such as "modularity," "context-management," and "lazy-loading," which are generic enough to activate in many unrelated conversations. Over-broad activation increases the chance that the skill is loaded outside its intended scope, unnecessarily exposing its guidance and any linked module-loading behavior to contexts where it does not apply.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example frontmatter uses very broad trigger keywords such as common technical terms that can easily appear in ordinary conversation or unrelated tasks. In a progressive-loading skill, ambiguous triggers can cause the wrong module to load, increasing prompt-surface exposure, consuming context budget, and potentially activating instructions that were not relevant to the user's request.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The integration examples describe loading decisions with vague triggers like branch mentions, markdown files, or complexity high, without precise matching rules or precedence. This ambiguity can lead to over-triggering and unintended module activation, which is especially risky in a hub-and-spoke loader because each extra module increases attack surface and may pull in additional dependencies.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal