ClawHub

Anti-Laziness Protocol

Security checks across malware telemetry and agentic risk

Overview

This skill is a quality-control protocol, but it is broad enough to affect many ordinary tasks and tells the agent to write progress files without clear limits.

Review before installing. The skill is not malware and has no executable code, but it can make the agent apply a heavy verification workflow to many ordinary requests and may create temporary/progress files containing intermediate findings. Install only if you want that behavior broadly, and prefer a version with narrower triggers plus explicit rules for where files are written and when they are cleaned up.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

High
Confidence
93% confidence
Finding
The skill’s activation scope is broadly framed in the description and reinforced by the body, making it likely to trigger for many normal analytical tasks rather than a narrowly defined workflow. Over-broad triggers can cause unintended instruction precedence, changing agent behavior in unrelated contexts and increasing the chance of unnecessary file-writing, process overhead, or policy conflicts.

Vague Triggers

High
Confidence
98% confidence
Finding
The phrase "任何需要验证的工作" is effectively a catch-all that can match a very large fraction of user requests, causing the skill to activate far outside its intended domain. In practice this can override or distort normal agent behavior across many tasks, making the skill intrusive and hard to control.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Triggering on a user asking for "详细分析" is too generic because that phrase commonly appears in ordinary requests across many domains. This overlap raises the chance of accidental activation, which can inject unrelated process requirements into normal conversations and degrade predictability.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to write key findings and progress summaries to temporary or progress files, but provides no constraints on location, sensitivity, retention, or user consent. That creates a real risk of persisting sensitive user data, polluting the workspace, overwriting existing files, or leaking intermediate reasoning into artifacts the user did not request.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal