ClawHub

Workspace Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward ClawPad workspace organizer that creates folders and starter documents, with no evidence of hidden code, credential access, data exfiltration, or destructive behavior.

Install this if you want an agent to help set up and maintain a ClawPad workspace. In an existing or important workspace, ask it to preview the exact folders and files before creating them, because its intended behavior is to add persistent workspace structure and markdown documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases are broad enough to match common, low-intent user requests such as 'help me organize' or 'new project,' which can cause the skill to activate unexpectedly. Because this skill is designed to create folders and documents, overbroad activation can lead to unintended workspace modifications or the assistant taking organizational actions the user did not explicitly request.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The onboarding condition uses vague examples like 'just set up' and 'help me customize' without precise criteria for when the workflow should begin. In context, this increases the chance that a normal conversational message is interpreted as authorization to start a setup flow that culminates in creating workspace structure and documents.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to create spaces, folders, and a welcome document without first warning the user that it will modify the workspace. This is dangerous because it can produce non-transparent state changes, especially when combined with the broad triggers elsewhere in the file, leading to unauthorized or surprising writes in the user's environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal