ClawHub

Skill Multi Publisher

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about publishing skills, but it can make public external changes under the user's accounts without strong approval gates.

Install only if you want an agent to help publish skills publicly. Before using it, verify the active GitHub and ClawHub accounts, inspect the exact directory for secrets or private files, and require the agent to show a dry run and wait for explicit confirmation before creating repos, pushing commits, publishing to ClawHub, or opening PRs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough that normal user requests like 'publish this skill' or 'release this skill everywhere' may invoke a workflow that initializes git, creates public repositories, and pushes content remotely. In a skill that performs irreversible external actions, ambiguous activation materially increases the risk of unintended publication of code or sensitive local files.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description does not clearly warn that it may create public repositories and upload local directory contents to third-party marketplaces. In this context, insufficient disclosure is dangerous because users may invoke the skill without understanding that local files, metadata, or accidentally included secrets could be published externally.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad enough to activate on ordinary requests about publishing or releasing, which can cause the skill to take over unrelated workflows. In this skill, mistaken activation is especially risky because the documented behavior includes repository creation, pushes, and public PR submissions to external services.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill advertises one-command automation that creates repositories, pushes code, publishes to marketplaces, and submits PRs, but it does not prominently require an explicit informed confirmation before making public external changes. This creates a substantial risk of accidental disclosure of code, metadata, or incomplete content to public services under the user's authenticated accounts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The auto-generation step writes LICENSE and README.md into the skill directory without an explicit notice about local filesystem modification or safeguards against overwriting existing files. Even if intended as convenience, silent writes can alter a repository state, create misleading legal files, or overwrite user-authored content in preparation for later publication.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Generating a bilingual README based on inferred user identity or language background is an inappropriate behavioral assumption without explicit opt-in. While lower severity than the publishing actions, it can produce unwanted content, reveal assumptions about the user, and cause incorrect or unsuitable repository artifacts to be committed and published.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal