ClawHub

Build Protocol Engineering

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed engineering workflow skill with a local audit script; it is process-heavy but not deceptive or destructive.

Install this if you want a strict engineering workflow with design-doc, audit, runbook, and rollback gates. Before running the included audit script, review it in your project context because it reads local source/config files, may print secret-like findings to the terminal, and can run TypeScript checks via npx.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
84% confidence
Finding
Broad trigger phrases like 'build service', 'write design doc', or similar everyday engineering terms can activate the skill in situations where the user did not intend a full build/deploy workflow. Over-broad activation can cause unnecessary auditing, command execution, or process steering in unrelated tasks. The issue is amplified here because the skill includes blocking checks and operational guidance tied to production workflows.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger section mixes broad contextual conditions with informal phrases and does not define clear activation boundaries. That ambiguity can lead to accidental invocation on normal coding or documentation requests, causing the skill to impose unnecessary workflow constraints or run audits unexpectedly. In a skill that references shell-based verification and deployment steps, unclear activation increases the chance of unintended high-impact behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal