ClawHub

Shortcuts Generator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent documentation-based Apple Shortcuts generator, but users should review generated shortcuts carefully before signing or running them.

Safe to install as a Shortcuts-generation reference, with caution. Before importing or running any generated shortcut, inspect actions that delete files/photos, run shell or AppleScript, access clipboard/location/contacts/photos, send messages, make network requests, use Apple Intelligence, or change system settings. Add confirmation steps for destructive shortcuts and avoid sending sensitive text or context to AI actions unless you understand where it may be processed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example invites the user to enter arbitrary text and forwards it to Apple Intelligence without explicitly warning that the content may be transmitted to an external AI service or processed off-device depending on platform behavior. In a copy-paste-ready example, omission of that disclosure can cause users to unintentionally send sensitive prompts or personal data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This example combines device/context data (weather/location-derived conditions) with an AI request but does not disclose that the assembled prompt is sent to Apple Intelligence. Users may not realize contextual data is being shared externally, which creates a privacy risk disproportionate to a simple documentation example.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation includes a complete DeletePhotos action example that wires deletion directly from a prior FindPhotos result without any accompanying confirmation, warning, or safety guard. In a skill whose purpose is to generate runnable Shortcuts plist files, this can normalize or enable creation of destructive automations that delete user photos with little friction, increasing the risk of accidental data loss.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly documents a destructive action (`Delete Photos`) and even highlights its special parameter handling, but provides no warning, confirmation guidance, scope limitation, or safety notes. In a code-generation skill that can emit fully formed Shortcuts, this increases the chance that users or downstream agents generate irreversible workflows that delete user data without adequate safeguards.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal