ClawHub

Use Skills

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only helper for choosing related skills, with broad routing language but no code execution, credentials, persistence, or hidden data access.

Install this if you want help choosing skills for multi-domain work. Use Restricted or Recommended for tighter control, and use All related only when you intentionally want broad skill coverage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README states that the skill can be selected automatically when a request is 'clearly multi-domain,' but it does not define strict criteria for that trigger. In a meta-skill that controls which other skills are activated, vague auto-selection language can cause unintended invocation, expanding the working set without an explicit user choice and potentially bypassing the safety boundary the document otherwise emphasizes around mode selection.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example triggers include very broad natural-language phrases such as requests spanning planning, implementation, review, README rewriting, and review requests. Because these overlap with ordinary user prompts, the skill may activate unexpectedly and alter behavior, causing unsolicited mode-selection prompts or unnecessary skill orchestration that can interfere with normal task handling.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The examples encourage invoking `use-skills` from very common request phrasings such as planning, coding, documentation, and review, without clearly constraining when skill activation should occur or requiring explicit user confirmation in all cases. In an agent setting, broad trigger patterns can cause unintended skill selection and context expansion, which may lead to overbroad tool use, exposure of additional capabilities, or unexpected processing of sensitive workspace content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal