ClawHub

claw-superpowers

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate software-development workflow skill, but it tries to make its process mandatory too broadly and can steer agents into repository changes, commits, subagents, and worktree actions even for simple tasks.

Install only if you explicitly want a strict, process-enforcing development assistant. Before using it, tell your agent that your direct instructions, consent requirements, and safety rules override the skill, and require confirmation before commits, pushes, dependency installs, worktree cleanup, or subagent delegation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

High
Confidence
97% confidence
Finding
This instruction forces near-universal invocation of the skill whenever there is even a minimal chance it might apply, which can override normal task scoping and user intent. In practice, it can cause prompt hijacking of the agent’s workflow, making the agent follow this skill’s process before other safer or more appropriate instructions and creating denial-of-service style friction or unauthorized actions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The brainstorming trigger applies to 'any creative work' including routine modifications, which is overly broad and can force unnecessary design-gate behavior before simple edits. This can be abused to stall work, redirect conversations, or coerce the agent into creating files/commits and following a rigid workflow unrelated to the user’s immediate request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal