ClawHub
Back to skill

Security audit

FOSMVVM ServerRequest Generator

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only code-generation skill for FOSMVVM request scaffolding, with no hidden execution, persistence, credential collection, or exfiltration behavior found.

Before installing or using it, treat the generated server handlers as scaffolding: review authorization checks, input validation, route exposure, upload limits, error handling, and any inferred fields or operations before committing or deploying the code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill says it references broad conversation context automatically, without defining tight activation boundaries. In an agent setting, ambiguous scope can cause the generator to absorb unrelated or adversarial context and produce requests, routes, or handlers based on unintended instructions, increasing prompt-injection and confused-deputy risk.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The pattern-implementation section repeatedly instructs the skill to infer CRUD operations, request structure, response structure, and client type from 'conversation context' without clear constraints. Because all skill content must be treated as potentially adversarial in an agent environment, this implicit inference model makes it easier for malicious or irrelevant chat content to steer code generation toward insecure endpoints, wrong semantics, or unauthorized integrations.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal