ClawHub

Astro Starlight

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Astro Starlight helper, with the main caution that some manual troubleshooting snippets can delete local project artifacts or stop a local process if copied blindly.

Install this if you specifically want help with Astro Starlight documentation sites. For a generic docs-site project, first confirm that Astro/Starlight is the desired stack. Before running cleanup commands, verify you are in the project root and understand that node_modules, package-lock.json, .astro, and dist may be removed and regenerated; inspect any process before killing it. Review optional integrations before adding external analytics, search, auth, or hosting services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger guidance is excessively broad: it says to use this skill not only for explicit Starlight requests, but also when the user merely says 'docs site' or 'documentation website.' In an agent routing context, this can misclassify many generic documentation requests and inappropriately steer users toward Astro Starlight, reducing user intent fidelity and potentially causing unsafe or incorrect actions in the wrong project ecosystem.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation recommends `rm -rf node_modules package-lock.json` as a troubleshooting step without warning that it irreversibly deletes local dependencies and the lockfile. In a support/troubleshooting skill, users may copy-paste commands directly, so omission of cautions increases the chance of accidental data loss or disruption to reproducible builds.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The process-killing example `lsof -ti:4321 | xargs kill` is presented as a simple fix without warning that it may terminate the wrong process or interrupt unrelated work bound to that port. Troubleshooting docs are commonly followed verbatim, so a terse kill command can cause accidental service disruption on a developer machine.

Missing User Warnings

High
Confidence
96% confidence
Finding
The 'Full reset' section instructs users to recursively delete `node_modules`, `package-lock.json`, `.astro`, and `dist` with no warning, validation steps, or note to ensure they are in the project root. Because this is framed as a nuclear option in troubleshooting guidance, stressed users are especially likely to paste it blindly, risking destructive deletion and loss of local state.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The cache-clearing step `rm -rf .astro/` removes generated local state but does not explain that this is a cache/type-artifact cleanup step rather than a harmless no-op. While lower risk than broader deletions, users still deserve notice that local generated data will be removed and regenerated.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal