ClawHub

Skill Preflight Checker

Security checks across malware telemetry and agentic risk

Overview

This is a visible checklist-style skill for checking other skills before installation, with broad trigger wording but no bundled executable code or hidden persistence.

Safe to install as an instruction-only preflight checklist. Before letting it run commands, confirm the exact skill/package or repository, avoid broad scans of sensitive local folders, use an isolated working directory or container, and review the generated recommendation before continuing an installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are very broad and generic, such as '检查这个技能' and '安全分析', which can easily overlap with normal user requests and cause the skill to activate unexpectedly. In a security-oriented skill, unintended activation is risky because users may rely on its output as an authoritative safety judgment in contexts the skill was not explicitly invoked for.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase is very broad natural language and can match ordinary safety-assessment requests that are not clearly intended to invoke this specific skill. In an agentic system, ambiguous activation can cause the wrong skill to run automatically, leading to unexpected package/network inspection steps or overly trusting workflow decisions in a security-sensitive installation context.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The batch-check example is underspecified about what the 5 skills are, where they come from, and what evidence is available, making it easy for the skill to activate on vague planning or conversational text. In a security tool, this ambiguity is risky because it may trigger automated analysis or recommendations without enough context to produce reliable decisions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal