ClawHub

Activity Campaign from UI

Security checks across malware telemetry and agentic risk

Overview

This is a coherent campaign-design skill, but users should expect optional local file creation and gendered poster-image defaults when requesting H5 delivery.

Install this if you want an agent to turn campaign references into H5/Web proposals and draft front-end files. Before using it, be aware that local-output requests may create or update files under project/<delivery-slug>/, and poster-led delivery may default to adult female commercial hero imagery; review generated assets and code for brand fit before publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The README explicitly steers the skill toward generating 'fashionably sexy' adult female promotional imagery, which expands the skill beyond UI-to-campaign conversion into potentially sexualized human-image generation. That is risky because it can drive inappropriate outputs, create policy-compliance problems, and normalize unnecessary sensitive-content generation in a workflow whose core purpose is frontend campaign drafting.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs the skill to automatically create directories and write artifacts under a local `project/` path whenever local output is requested, but it does not require an explicit confirmation step, a dry-run preview, or clear runtime disclosure before filesystem modification. In an agent/tooling environment, this can lead to unexpected local writes, overwriting user work, or creating executable web assets without sufficiently informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to automatically create directories and write files to the local filesystem without requiring explicit user confirmation at the time of execution. In an agent setting, silent filesystem modification is dangerous because it can surprise users, overwrite existing work, or normalize unauthorized local side effects from documentation-driven behavior.

Natural-Language Policy Violations

High
Confidence
95% confidence
Finding
The README imposes a default policy of using adult female hero imagery and discourages substitution with male figures, which encodes a biased and unnecessary content-selection rule into the skill. In context, this is more dangerous because the skill is meant for general campaign-page generation, so the gendered default can systematically produce inappropriate, discriminatory, or non-brand-safe outputs across otherwise unrelated use cases.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill hard-codes a female-led default for generated campaign visuals without requiring user intent, which introduces unnecessary gender/sexualized bias into outputs. In a creative generation pipeline this can produce inappropriate or non-compliant content for brands, workplaces, or regulated contexts, especially when the brief is otherwise neutral.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
These image-generation rules repeatedly force an adult female hero and even encourage 'glamorous' and 'slightly sexy' framing by default. That creates a systematic bias toward sexualized content generation and increases the chance of policy violations, unsafe workplace outputs, or user-harmful stereotyping when the user did not ask for such imagery.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The skill explicitly mandates a female-only hero across multiple sections, which can override user needs and embed discriminatory output behavior into the agent. Repetition throughout the file makes the behavior persistent and harder for downstream systems to constrain, increasing the likelihood of inappropriate or exclusionary content generation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to create directories and write project files and generated assets to the local filesystem, but there is no requirement to obtain explicit user confirmation, describe the write scope, or constrain the destination to a safe sandbox. In an agent environment with filesystem access, this can cause unintended local state changes, overwrite existing content, or normalize unsafe autonomous file modification behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The scope explicitly instructs the skill to create directories and write final files to the local filesystem when local output is requested, but it does not require explicit user consent, path constraints, overwrite protections, or safety confirmations. In an agent environment with filesystem tools, this can lead to unintended local modification, file overwrites, or abuse through crafted delivery slugs or prompts that cause writes in unexpected locations.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal