ClawHub

Snow Report

Security checks across malware telemetry and agentic risk

Overview

This skill is a focused snow-report helper that uses OpenSnow and optional saved resort preferences, with no evidence of hidden code or unrelated access.

Install if you are comfortable with the agent visiting OpenSnow for requested resorts and saving your default or favorite mountains locally. Avoid storing sensitive travel plans in `memory/snow-preferences.md`, and delete or edit that file if you do not want those preferences retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description uses broad activation language such as requests about snow, powder, ski conditions, or mountain weather, which can overlap with ordinary weather queries and casual conversation. This raises the chance of unintended invocation, causing the agent to open browser tabs and fetch external data when the user may only want a generic weather answer.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Several command phrases are vague, including natural expressions like 'how's the snow' or 'where's it snowing', which may match ambiguous user requests without sufficient constraints. In this skill, accidental activation can trigger browsing across favorites or use stored defaults, leading to unnecessary external requests and potentially exposing user preferences through unintended use of memory.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to create and use `memory/snow-preferences.md` containing a default mountain and favorites, but the skill metadata/description does not clearly warn that persistent user data will be stored. This can create privacy and consent issues because the agent may retain location-linked recreational preferences without explicit upfront notice.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal