ClawHub

skill-packager

Security checks across malware telemetry and agentic risk

Overview

This is an unfinished skill template with no code or sensitive access, so it is low security risk but not useful as a working packaging skill yet.

Install only if you want a template or authoring reference. Do not expect this to package skills until the TODO sections are replaced with a clear purpose, trigger conditions, workflow, and safety boundaries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill description is still template text and does not define what the skill actually does or when it should be invoked. In an agent system, vague or missing trigger conditions can cause the wrong skill to be selected for unrelated tasks, increasing the chance of unsafe automation, misuse of tools, or unintended file handling.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The Overview section is incomplete and leaves the skill's operational scope undefined. Without a clear scope and invocation context, downstream agents or users may over-apply the skill to tasks it was never meant to handle, which is a security and reliability risk even if no explicit malicious payload is present.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The main body contains authoring guidance rather than executable skill instructions, so there are no concrete boundaries, workflows, or constraints for safe use. This ambiguity is especially risky in agent environments because placeholder sections can lead the model to improvise behavior, potentially invoking tools or processing files without a well-defined safety envelope.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal