Back to skill

Security audit

ClawHub Demo Skill

Security checks across malware telemetry and agentic risk

Overview

This is a minimal demo skill that only confirms it is active and optionally echoes a short phrase.

This skill is appropriate for basic installation testing. Because it may be invoked implicitly for related test prompts and can echo user-provided text, avoid giving it sensitive phrases to repeat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill enables implicit invocation without any activation constraints, narrowing conditions, or examples that would limit when the agent should call it. Even though this demo skill appears low-risk, broad implicit invocation can cause unintended triggering, unexpected data flow into the skill, or confusion about when the agent should use it, which is a genuine security and safety weakness.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.