ClawHub

Validation Rules Builder

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed construction data validation helper with local file handling, and the reviewed artifacts do not show hidden, destructive, credential-seeking, or exfiltration behavior.

Install only if you are comfortable granting filesystem access for local project data validation. Keep input and export paths explicit, review any generated custom validation functions before running them, and treat cost estimates or cost analysis as advisory rather than authoritative financial output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The schedule validator defines a dates_valid function intended to ensure start_date is not after end_date, but never registers or invokes it. This creates a logic gap where invalid schedule records can pass validation despite the skill claiming schedule validation support, potentially allowing bad planning data to propagate into downstream workflows.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The instructions materially expand the skill from validation-rule generation into cost estimating and cost analysis, which is outside the declared skill purpose. This scope drift can cause the agent to perform unintended financial-analysis tasks, increasing the chance of misuse, incorrect tool selection, or processing sensitive project cost data under the wrong operational assumptions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The output requirements emphasize analytical reporting, summary statistics, and export behavior rather than producing validation rules, reinforcing a behavior mismatch with the stated skill purpose. In practice, this can steer the agent to generate derived analysis artifacts or exports instead of constrained validation logic, which broadens data handling and may expose or mishandle project information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal