ClawHub

Ai Code Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward AI code generator; its main risks are ordinary code-generation risks around reviewing generated files and protecting sensitive prompts.

Install only if you are comfortable using an LLM-based code generator. Do not include secrets, private keys, or sensitive proprietary details in requirements unless you trust the model backend, and review generated files and dependencies before saving, installing, or running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly advertises creating multiple files and managing project artifacts, but it does not warn users that running it may modify the local filesystem. In an agent context, omission of side-effect warnings can lead to unanticipated file creation or overwrites, especially when generating complete projects in existing directories.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow states the agent will 'Write to file' for each generated artifact, yet the documentation provides no notice about overwrite risk or other filesystem side effects. This increases the chance that users invoke the skill without understanding it can persist changes across many files, potentially damaging existing projects or introducing unreviewed code.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends user-provided requirements and, in other phases, generated file contents to an LLM backend without any explicit disclosure, consent flow, or data-classification guardrails. Because requirements may contain proprietary source code, credentials, internal architecture details, or other sensitive business information, this creates a real data exfiltration and privacy risk whenever the configured LLM is external or third-party hosted.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal