ClawHub

Skill Scorer

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed reviewer for SKILL.md files and does not show hidden execution, credential access, persistence, or automatic modification behavior.

Install only if you want a skill reviewer that may inspect skill files or folders you provide and fetch links you explicitly give it. Do not include secrets in skills you ask it to review, and review any generated fix or rewrite before applying it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Vague Triggers

High
Confidence
95% confidence
Finding
The description contains very broad trigger phrases such as reviewing, auditing, scoring, linting, or checking any skill, including casual phrasing. In agent ecosystems, overbroad activation can cause the wrong skill to hijack unrelated requests, override more appropriate tools, or expose user content to unintended processing paths, which is a real safety and reliability risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The 'When to Activate' section uses ambiguous boundaries and informal examples that can overlap with ordinary discussion about skills. This increases the chance of erroneous routing or invocation, especially in multi-skill systems where broad natural-language matching can misfire and cause unintended analysis of user content.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The template hard-codes a Chinese-first bilingual output requirement regardless of user preference or execution context. This is a prompt-level policy override that can reduce user control, increase output size, and create instruction conflicts with higher-priority caller requirements, making downstream behavior less predictable.

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
# Report Template — skill-scorer

> **Bilingual output rule:** Always generate the FULL report in Chinese first, then a clear separator, then the FULL report in English. No interleaving. Both versions must have identical scores, issues, and suggestions.

---
Confidence
82% confidence
Finding
output rule

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal