ClawHub

Debug Framework

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only frontend debugging workflow with some local report-retention risk but no hidden execution, credential use, or exfiltration behavior.

Before installing, be aware that generated debug reports may capture sensitive logs, screenshots, request headers, bodies, URLs, or state snapshots. Use it for frontend debugging, and redact credentials, cookies, tokens, personal data, and internal details before saving or sharing reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs saving diagnostic reports that may contain logs, screenshots, request metadata, and other evidence, but provides no guidance to redact secrets, tokens, personal data, or internal URLs before storage. In a debugging context, these artifacts commonly include sensitive information, so persisting them to a report file can create unintended data exposure and retention risks.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The description uses very broad debugging triggers such as 'debug', '异常', and '请求失败', which are common across many normal development requests. In multi-skill routing systems, this can cause the skill to activate for loosely related prompts, increasing the chance of misrouting, over-collection of diagnostic context, or unnecessary execution of a debugging workflow where a narrower skill would be safer or more appropriate.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The package description includes very broad activation terms such as 'debug', '排查', '异常', and '请求失败', which are common in normal developer conversations and can cause the skill to trigger in many unrelated contexts. In an agent environment, overbroad activation increases the chance the skill is invoked unnecessarily, exposing its instructions and workflows in situations where they may not be appropriate and potentially interfering with safer or more specific skills.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal