ClawHub

Client Report Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent report-generation helper that processes user-provided data and produces Markdown or HTML reports, with normal care needed for sensitive client information.

Install this if you want help turning data into client-facing reports. Only provide files, URLs, and client metrics you are comfortable processing, confirm that broad requests like “weekly report” are meant to invoke this skill, and review generated HTML before sharing because untrusted text or links may remain active in the exported page.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to read local files and invoke local scripts (`scripts/parse_data.py`, `scripts/report_to_html.py`) but declares no permissions. That mismatch can bypass user or platform expectations about what capabilities the skill needs, increasing the risk of unauthorized file access or processing of sensitive local data if the skill is activated.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are very broad for a common business task domain (`weekly report`, `monthly report`, `status report`), so the skill may activate in unrelated conversations where a user merely mentions those phrases. In this skill's context, unintended activation is more concerning because activation can lead to file parsing, URL fetching, and script execution workflows on potentially sensitive client data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal