ClawHub
Back to skill

Security audit

Nm Tome Synthesize

Security checks across malware telemetry and agentic risk

Overview

This is a text-only research report helper with overly broad trigger words, but no evidence of hidden, destructive, privileged, or data-exfiltrating behavior.

Safe to install as a research-session helper, but verify it is being invoked only when you want multi-channel research findings synthesized into a report; the single-word triggers may be too easy to activate accidentally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are extremely generic ('merge', 'rank', 'format', 'report') and are likely to activate during ordinary user requests unrelated to this specific skill. In an agent ecosystem, broad triggers can cause unintended skill invocation, leading to incorrect routing, unexpected behavior, or interference with other tools and workflows.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
91% confidence
Finding
The trigger 'merge' overlaps with a common built-in command name, creating a shadowing risk where this skill may intercept or be confused with native command behavior. That can cause command hijacking, unexpected execution paths, or user confusion, especially in environments that resolve commands by trigger matching.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
92% confidence
Finding
The trigger 'format' conflicts with a highly generic built-in command concept and may shadow legitimate formatting functionality. Because 'format' is a routine user action, this raises the chance of accidental invocation and unintended report-generation behavior instead of the expected native formatting operation.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.