ClawHub

Akashic Knowledge Base

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be an information-search helper, but its very generic triggers could route ordinary questions into internal knowledge-base or web searches without clear user intent.

Review this skill before installing if you use private knowledge bases or want predictable tool routing. It should ideally require explicit invocation, such as naming the skill or knowledge base, before sending a query to internal search or external web search.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are very broad everyday-language patterns such as 'what is', 'tell me about', and 'search for', which can cause the skill to activate unintentionally during normal conversation. Because this skill can invoke internal knowledge-base search, web search, and AI synthesis tools, accidental activation could expose data, consume external services, or route user prompts into tool execution unexpectedly.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
86% confidence
Finding
The trigger 'search for' overlaps with a likely built-in 'search' command, creating a shadowing/confusion risk where this skill may intercept requests intended for core functionality. In this skill's context, that interception is more sensitive because it can launch web search, RAG queries, and chat synthesis, potentially changing trust boundaries and causing unintended data access or external queries.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
83% confidence
Finding
The trigger 'find information' is a generic phrase that can conflict with built-in 'find' behavior and cause unintended routing to this skill. Since the skill can query internal knowledge stores and external search providers, a routing mistake could lead to unnecessary disclosure of query contents, unexpected external lookups, or use of the wrong retrieval source.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal