ClawHub

PAI

Security checks across malware telemetry and agentic risk

Overview

This skill is a broad personal-agent framework, but it tries to govern nearly every interaction and can persist data, spawn agents, and run local commands with too little scoping.

Install only if you want PAI to act as a broad, always-on personal-agent framework, not as a narrow helper skill. Review the memory/logging behavior, USER directory handling, voice notification curls, MCP profile changes, and autonomous loop commands before use. Avoid putting secrets in PRDs or USER templates unless you are comfortable with local tools and spawned Claude sessions seeing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (324)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
In verbose mode, the CLI prints the full action input to stderr, which can expose secrets, personal data, or tokens supplied via stdin or --input. CLI tools are often run in terminals, CI jobs, and shell histories where stderr may be captured or logged, so this creates a real confidentiality risk even though it is user-enabled.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly advertises always-on console monitoring and network request tracking but provides no warning that these channels can contain secrets such as session tokens, API keys, personal data, or internal URLs. In a browser automation context, this increases the chance that sensitive data is collected, surfaced to the agent, logged, or retained unintentionally during routine use.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly describes autonomous loop execution that reads PRDs, updates checkboxes, reconciles results, and runs local actions, but it does not warn users that invoking these commands can modify local files and system state. In a skill that automates infrastructure and agent activity, omission of state-changing warnings increases the chance of unintended execution and unsafe use.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The interactive and loop modes state that they spawn Claude sessions with PRD context and failing criteria, but they do not clearly warn that project or PRD data is transmitted into a spawned model session. If PRDs contain secrets, internal architecture, or sensitive work items, users may disclose data without realizing the privacy implications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Verbose mode is documented as printing full input and output details, yet there is no warning that those details may include API keys, tokens, personal data, or proprietary content. Such data can be exposed on shared terminals, shell history, CI logs, or captured stderr streams.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The routing table uses very broad trigger phrases such as "projects," "goals," and especially "deploy," which can cause unrelated user requests to load additional documentation or sensitive project context unexpectedly. In a context-loading system, overbroad triggers increase the chance of inappropriate scope expansion, accidental disclosure of internal paths or personal data references, and prompt-injection amplification through unnecessary file inclusion.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly routes the agent toward `USER/` content containing personal data but provides no privacy guardrails, minimization rules, or confirmation requirements before access. That omission is risky because context loading mechanisms often expose more data than needed, and the sensitivity of identity, health, finances, and contacts makes accidental disclosure materially harmful.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The skill requires a spoken-aloud output via a fixed `🗣️ {DAIDENTITY.NAME}` pattern but does not provide any mechanism to choose language, locale, pronunciation, or accessibility preferences. This can cause inappropriate or unusable output for multilingual users, speech interfaces, or regulated contexts, and the mandatory nature of the requirement makes the issue more likely to surface in normal use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill strongly mandates selecting and using multiple capabilities, agents, and task operations as the default workflow, but it does not require a safety check or explicit user confirmation before potentially impactful actions are taken. In an adversarial or ambiguous context, this can pressure an agent into unnecessary tool use, delegation, or execution behavior that increases the chance of unintended side effects, data exposure, or unsafe automation.

Vague Triggers

High
Confidence
95% confidence
Finding
The skill declares that its phased process is mandatory for "every single response" with "no exceptions," which gives it an extremely broad invocation scope. In an agent environment, this can hijack normal system behavior, force unnecessary tool usage, and create denial-of-service-style overhead or policy conflicts across unrelated tasks.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The document repeatedly requires the full algorithm for "non-trivial" tasks but never defines objective thresholds for what counts as non-trivial. That ambiguity lets the skill expand unpredictably into many interactions, causing inconsistent activation, unnecessary task creation, and opportunities for prompt-induced workflow capture.

Vague Triggers

High
Confidence
95% confidence
Finding
The skill defines itself as an ASI-level general problem solver for everyday requests, which makes its activation scope effectively universal. In an agent system, this broad applicability can cause the skill to intercept or dominate unrelated tasks, increasing the chance of prompt override, unsafe tool use, or conflicts with more narrowly scoped safety-aware skills.

Vague Triggers

High
Confidence
98% confidence
Finding
The file repeatedly mandates that every response must use this algorithm and response format, with language like 'NO EXCEPTIONS' and 'EVERY SINGLE RESPONSE.' This creates a prompt-level takeover condition where the skill can supersede higher-priority system behavior, prevent safe minimal handling of simple tasks, and force unnecessary capability/tool invocation across contexts.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill imposes a single mandatory response format for all user interactions, regardless of user intent or platform context. This is dangerous because it can override higher-priority system or developer formatting requirements, reduce safe refusal flexibility, and enable prompt rigidity that interferes with normal agent controls and user choice.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The skill mandates spoken output through a fixed response pattern without user opt-in, which is a coercive presentation constraint rather than task logic. This can conflict with accessibility needs, user preferences, or safety-sensitive interactions where concise, direct, or non-anthropomorphic output is more appropriate.

Vague Triggers

High
Confidence
95% confidence
Finding
The skill defines itself as an 'ASI-level general problem solver' that infers what users really mean and can apply to essentially any request. This broad, weakly bounded scope increases the chance of unintended activation, instruction takeover, and application in contexts where more constrained, domain-specific behavior would be safer.

Vague Triggers

High
Confidence
98% confidence
Finding
The file repeatedly states that every response must use the algorithm and prescribed format, with no meaningful trigger boundary. That can override higher-level application behavior, force unnecessary tool use or workflow changes, and create a prompt-scope escalation where a single skill attempts to govern all interactions.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The skill mandates a specific spoken response identity/format ('THIS IS SPOKEN ALOUD') without user consent or context sensitivity. This can cause unwanted persona injection, accessibility issues, or leakage of internal framing into end-user responses when a different tone, language, or modality is required.

Vague Triggers

High
Confidence
97% confidence
Finding
The skill frames itself as an 'ASI-level general problem solver' for everyday requests, with no bounded activation criteria or domain limits. That broad scope can cause the skill to activate on arbitrary prompts and override safer, task-specific behavior, increasing the chance of prompt capture, denial of service through excessive process, or misuse of tools in contexts where this skill should not run.

Vague Triggers

High
Confidence
99% confidence
Finding
The file repeatedly states that every response 'must' use this algorithm and format, effectively attempting to hijack the assistant's global behavior regardless of user intent or system policy. In skill systems, this creates an over-broad trigger and instruction-precedence conflict that can suppress normal safeguards, force unnecessary tool usage, and degrade or block correct handling of unrelated tasks.

Vague Triggers

High
Confidence
95% confidence
Finding
The skill describes itself as an ASI-level general problem solver that can reinterpret essentially any user request, which makes its activation scope effectively unbounded. In an agent environment, this can cause the skill to override normal routing and inject its own process into unrelated tasks, increasing the chance of prompt hijacking, unsafe tool use, and instruction conflicts.

Vague Triggers

High
Confidence
98% confidence
Finding
Mandating a response format for all responses is a classic scope-capture problem: it attempts to govern every interaction regardless of user intent or system policy. This can interfere with higher-priority instructions, break other skills, and coerce tool invocation patterns even when they are unnecessary or unsafe.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Repeated 'always use' directives without meaningful exclusions encourage the skill to self-apply in every context, even where it is a poor fit. That broadens the blast radius of any bad behavior in the skill and makes safe orchestration harder because the skill resists selective use.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Forcing a single spoken response identity without user consent can override user preferences and create deceptive or unwanted persona behavior. While not directly code-executing, it is still a policy and trust issue because it reduces user control over how the agent presents itself.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The skill imposes a mandatory response format for every interaction and explicitly frames deviation as a critical error. This can override user intent, reduce the agent's ability to safely adapt responses, and act as instruction-locking that makes it harder to honor higher-priority safety, privacy, or task-specific requirements.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal