ClawHub

Rag Construction

Security checks across malware telemetry and agentic risk

Overview

This is a coherent construction-document RAG helper, with the main caution that user-provided project documents and exports may contain sensitive raw text.

Install this only for project documents you intend the agent to process. Use a dedicated project folder, avoid pointing it at unrelated private directories, and review any exported knowledge base because it can include raw contract, RFI, safety report, specification, and project metadata text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly provides an export function that serializes the full knowledge base, including complete document contents and metadata, which can contain sensitive construction documents, contracts, safety reports, or project identifiers. In a RAG skill focused on enterprise/construction knowledge bases, encouraging unrestricted export without any warning, access control guidance, redaction, or minimization increases the risk of accidental data exfiltration and oversharing.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The instruction triggers document or report generation based on a very broad condition, without clearly constraining permitted document types, data sources, or validation requirements. In a RAG/document-processing skill, this can cause the agent to act on ambiguous user requests, generate unintended outputs from sensitive project materials, or invoke downstream logic in SKILL.md without sufficient authorization or scope checks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal