ClawHub

@gerandica

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Instagram carousel generator with some usability caveats, but no evidence of hidden access, credential use, persistence, or harmful behavior.

Install if you want a strict workflow for Instagram carousel HTML. Expect it to ask for brand details and to research current statistics; review any cited numbers before posting and override the Russian default if you need another language.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The README explicitly requires output in simple Russian without indicating that this should depend on the user's requested language or locale. That can cause the agent to ignore user preference, produce unwanted language output, and create policy/compliance issues in multilingual environments where user consent and clarity matter.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation text includes broad phrases like 'social media carousel' and 'multi-slide visual content for social media', which can cause the skill to trigger for requests outside its stated Instagram-specific scope. Over-broad triggering is dangerous because it can route unrelated user tasks into a highly prescriptive workflow, causing incorrect behavior, unwanted data collection steps, or bypass of a better-matched skill.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to 'Write in simple, clear Russian by default' without checking the user's language preference. This is risky because it can override user intent, degrade output safety and usability, and cause the system to produce content the user cannot review accurately, especially when factual sourcing and brand-sensitive copy are required.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal