ClawHub

OPC Essentials

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only business planning and drafting skill with broad but disclosed solo-founder use cases and no hidden execution or credential use.

This appears safe to install as a drafting and planning aid. Use normal care with client names, invoices, sales notes, and renewal details, and review any payment, proposal, or client-facing message before sending because the skill may make reasonable assumptions when context is incomplete.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
78% confidence
Finding
The skill explicitly tells the agent to infer a mode when the user does not name one, and its mode catalog spans many common business tasks. That broad routing can cause the skill to activate on ordinary requests that only partially match its scope, increasing the chance of unintended prompt takeover, misrouting, or inappropriate use of business-context drafting behavior.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The input policy says to request inputs when helpful, but to infer them reasonably and proceed if they are missing. This encourages the agent to fill in missing audience, tone, urgency, and operating context without explicit confirmation, which can lead to incorrect assumptions, unintended actions, and over-application of the skill to loosely related requests.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The example prompts are very broad, natural-language requests that overlap with ordinary productivity and business-assistant use cases, making accidental or overly frequent activation more likely. In a skill that handles sales, invoices, renewals, and founder decision-making, unclear activation boundaries can cause unintended routing of sensitive business context into this skill when the user may have intended a different workflow or a narrower tool.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal