ClawHub
Back to skill

Security audit

Web Security Client-Side Scanner 1773654191

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed client-side web security review checklist skill with non-destructive limits and no executable install or hidden behavior.

Install this only for authorized testing of sites you own or have permission to assess. Confirm the target, credentials, and client-side scope before use, approve any active or noisy scanning explicitly, and treat the saved report as sensitive because it may contain URLs, tokens, exposed endpoints, or vulnerability evidence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger language is broad enough to activate on generic requests like 'test the security of this site,' which can cause the agent to select an offensive security skill without clearly establishing that the user specifically wants a client-side-only assessment. In an agentic system, overly broad activation increases the chance of mis-scoped security testing guidance being invoked in inappropriate contexts.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation criteria do not cleanly separate frontend review from broader web application security testing, yet the examples include generic pentest requests that could encompass server-side and authenticated attack paths. This ambiguity can lead to unsafe or unauthorized task expansion because the skill may be used when a more constrained clarification step is needed.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill directs the agent to save a report file to the current working directory without requiring user confirmation or warning that local disk will be modified. In agent environments, silent file writes can violate user expectations, overwrite existing artifacts, or create persistence of sensitive assessment data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal