ClawHub

Wyld Stallyns: Be Excellent ๐ŸŽธ

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed persona/legend skill with a user-triggered workflow for adding new entries, but users should review generated additions before letting them persist.

Install only if you want a skill that can extend its own persona library. When using the forge command, review the generated legend file and council.json entry before keeping them, and prefer explicit full-name aliases to avoid accidental activation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The alias list includes very broad single-word triggers such as "marcus," "aurelius," and especially "stoic," which are plausible natural-language terms a user might say without intending to invoke this specific skill behavior. If the platform uses aliases for routing or activation, these generic terms can cause ambiguous or unintended invocation, increasing the chance of misrouting user requests.

Vague Triggers

Medium
Confidence
92% confidence
Finding
This entry uses common first-name aliases like "richard" that are too vague to safely serve as trigger terms in a manifest-driven system. A user mentioning an ordinary first name in unrelated conversation could accidentally match the alias, causing unintended activation or selection of the wrong persona.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Across the manifest, many aliases are common given names or generic surnames such as "bruce," "lee," "esther," "ben," and "franklin," creating broad and overlapping trigger conditions. In aggregate this materially raises the probability of accidental routing, incorrect persona selection, or unintended skill behavior when users use ordinary language containing those names.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal