Superpowers Tdd

Security checks across malware telemetry and agentic risk

Overview

This is a ClawHub code-review helper that uses local review tools and repo diffs in a disclosed, purpose-aligned way, with some broad but visible execution options.

Install only if you want a repo-local ClawHub review workflow that can run review commands and tests. For tighter control, run the helper with --no-yolo or AUTOREVIEW_YOLO=0, set --fallback-reviewer none if you do not want diffs sent to other reviewer CLIs, and use --dry-run first to see selected commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The manifest trigger phrase is excessively broad, causing the skill to activate for nearly any feature or bugfix task. Over-broad routing can override user intent or inject rigid workflow constraints into unrelated work, increasing the chance of unsafe or disruptive agent behavior even though the content itself is not overtly malicious.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal