ClawHub

CC Design

Security checks across malware telemetry and agentic risk

Overview

CC Design is a coherent design and prototyping skill with expected local export helpers, though users should review brand-imitation and generated-file behavior.

Install for HTML design, mockup, deck, or prototype work. Expect it to inspect local design files, fetch public brand references for brand-styled tasks, and run optional local export scripts; review generated DESIGN.md/HTML/PDF/PPTX files before sharing and avoid exact third-party brand imitation unless you have rights or approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The fallback workflow explicitly tells the skill to reconstruct third-party brand design systems from screenshots, public sources, and web inspector output. That crosses from inspiration into systematic replication of proprietary visual assets and can facilitate trademark, copyright, or terms-of-use violations, especially when automated at scale.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The guidance in this section is written only in Chinese and instructs the agent when to load or skip the context, without offering any user-language fallback. In practice, this can cause the agent to operate in a language the user did not request, degrading transparency and increasing the chance of misunderstanding design requirements or presenting inaccessible output.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The file’s operational instructions are written in Chinese and implicitly assume the agent can follow that language, without offering any user-language negotiation or fallback. In a multi-language environment, this can cause the agent to produce outputs in an unintended language or misinterpret workflow constraints, degrading usability and potentially bypassing user expectations or review processes.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger guidance includes very broad natural-language phrases like "make it look good" and "design a screen," which can cause the skill to activate in situations where the user did not actually request this specialized design behavior. In an agent system, over-broad activation can misroute tasks, override more appropriate skills, and increase the chance of unintended behavior or prompt-scope expansion, even though the content here is not directly harmful.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal