ClawHub

MetricHub 指标平台

Security checks across malware telemetry and agentic risk

Overview

This is a coherent MetricHub assistant skill that explains platform navigation, metric-query construction, and dashboard workflows without hidden code or persistence.

Install this only if you intend your agent to help operate MetricHub workspaces. Because it can guide query execution and dashboard creation using tenant credentials, keep it scoped to trusted workspaces and confirm before changing Gateway settings or creating persistent dashboards.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description/trigger text is extremely broad and overlaps with ordinary analytics requests such as querying metrics, rankings, time filtering, and dashboard creation. In an agent environment, this can cause unintended activation or routing of general user requests into this skill, which may lead to unauthorized query execution, unexpected backend calls, or disclosure of tenant-scoped metadata if downstream authorization is imperfect.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The routing table maps vague natural-language intents like 'help me analyze XX' or 'search metrics' directly to platform routes without clear activation boundaries. This increases the chance of accidental skill takeover of common conversations and may steer users into sensitive tenant pages or initiate platform actions under ambiguous intent, especially in a multi-tenant system with query execution and settings pages.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal