ClawHub

Design Agent

Security checks across malware telemetry and agentic risk

Overview

This is a design-guidance skill made of markdown instructions and templates, with disclosed file-creation and visual-review steps that users should supervise.

Install this if you want agents to apply consistent design rules. Before using it, review any generated DESIGN.md, confirm where it will be written, avoid sending confidential screenshots to a vision model, and verify any third-party design site or npx command before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger description is very broad and includes vague phrases like 'make it look better', 'improve the UI', and 'any output where visual design matters', which can cause the skill to activate in contexts the user did not explicitly request. In an agentic system, this can lead to unintended tool/skill chaining, unnecessary external dependency suggestions, and expansion of the task scope beyond the user's intent.

Natural-Language Policy Violations

Low
Confidence
78% confidence
Finding
Including the language-specific trigger 'UI美化' without explaining why that language is singled out can cause asymmetric activation behavior across languages and may invoke the skill based on untranslated or mixed-language text the user did not intend as a design request. This is primarily a scope-control and predictability issue rather than a direct security flaw, but it still increases the chance of unintended invocation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs another skill to write a DESIGN.md file into the project directory without mentioning user consent, safe write boundaries, or overwrite behavior. In an agentic environment, this can lead to unintended filesystem modification, especially if the target project directory is inferred incorrectly or already contains a file with the same name.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This instruction reinforces writing DESIGN.md as a standard step while omitting disclosure of file-write side effects and collision handling. Recommending persistent file creation as part of normal operation can normalize silent project modification and increase the chance of clobbering user content or making unwanted repository changes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal