ClawHub

Slogan Maker

Security checks across malware telemetry and agentic risk

Overview

This is mostly a local slogan-writing skill, but it ships an unrelated helper script that should be reviewed before use.

Install only if you are comfortable with the extra unrelated script being present. Prefer invoking scripts/slogan.sh directly for slogan work, and avoid passing confidential brand plans, credentials, file paths, or sensitive business text to scripts/script.sh because it can store the first argument locally in a history file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill metadata advertises a slogan-generation/translation capability, but the shipped script is an unrelated generic data-processing CLI with import/export/query operations and local file logging. This kind of functionality mismatch is a strong indicator of deceptive packaging: users or orchestrators may grant the skill access or invoke it under false assumptions, increasing the chance that hidden or later-expanded data handling behavior is trusted when it should not be.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The inline comments and help output explicitly describe the tool as a 'Data processing and analysis toolkit,' directly contradicting the declared slogan-maker purpose. In skill ecosystems, this is dangerous because contradictory self-description is a classic sign of repurposed or misleading code, making it easier to smuggle non-declared capabilities past users and reviewers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal