ClawHub

content-factory

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only content production skill with optional sub-agent examples and some visible niche audience assumptions, but no hidden execution, credential access, exfiltration, or persistence.

Safe to install as a prompt-only content assistant. Review the niche religious/parenting audience assumptions before using it for general-purpose marketing, use voice matching only with consent or appropriate attribution, and avoid optional cloud sub-agent workflows for confidential drafts unless you intend that content to leave the main session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill includes explicit sub-agent spawning examples that invoke a shell-like command without any warning, confirmation step, or guidance on safe handling of untrusted task content. In agent environments, operational examples can be copied or followed automatically, which increases the risk of unintended command execution, task fan-out, or processing of sensitive content beyond the user's expectations.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The prompt includes a hard requirement that outputs pass 'theological guardrails' without documenting that the user explicitly selected a religious framework or what those guardrails are. In a general-purpose content tool, this can silently bias or constrain generated content, causing undisclosed ideological steering and inappropriate handling of user material that is not religious in nature.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The prompt hard-codes a specific religious, gender, age, and parenting identity for the protagonist/audience without any indication that the user requested that framing. This can cause the system to generate content that stereotypes users, mis-targets audiences, or injects sensitive demographic assumptions into otherwise general-purpose outputs, creating reputational and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal