ClawHub

Audit

Security checks across malware telemetry and agentic risk

Overview

This appears to be an audit-style skill, but it asks the agent to inspect sensitive code, contracts, and financial materials while promising immutable logging without clear consent or retention limits.

Review this carefully before installing. Use it only on materials you are authorized to analyze, and avoid feeding it secrets, private contracts, proprietary code, or regulated financial data unless you are comfortable with those artifacts being persistently logged. Ask the publisher to clarify whether logs store full artifact contents, where they are kept, who can access them, how secrets are redacted, and whether logging can be disabled or deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manifest description is highly broad and authority-framed ('Supreme Verifier', inspection of code, contracts, and capital flows) without defining user-approved triggers, scope boundaries, or operating constraints. That ambiguity can cause over-invocation or inappropriate use on sensitive materials, increasing the chance of unauthorized analysis or users relying on the skill in contexts it was not safely designed to handle.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The protocol explicitly promises 'Immutable logging of all inspected artifacts' but provides no warning, consent flow, retention limits, or exclusions for secrets, personal data, regulated data, or proprietary code. In an auditing skill that handles financial, legal, and technical artifacts, this creates a significant risk of irreversible storage of sensitive information, with privacy, confidentiality, and compliance consequences if logs are exposed or shared.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal