ClawHub

Cosprompt

Security checks across malware telemetry and agentic risk

Overview

This prompt-generation skill is mostly coherent, but it includes underage character categories in an image-prompt framework without clear safety limits.

Review carefully before installing. The skill has no code payload and clean VT/static signals, but it should add an adults-only or minor-safety rule before use for human character image prompts, and users should avoid requests involving minors, school-age characters, or ambiguous young-looking people.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest trigger is broadly phrased around generic prompt-generation needs, which can cause the skill to activate in situations beyond the user's clear intent. Over-broad activation increases the chance the agent will invoke browser/search behavior unnecessarily, expand data collection, or steer a conversation into this skill when a narrower or safer tool would be more appropriate.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill metadata and content are written to operate in Chinese without any opt-in or fallback behavior, which can override the user's language preference. This is mainly a safety and usability issue: it can confuse users, hide important caveats, and reduce transparency if the surrounding session is in another language.

Ssd 4

Medium
Confidence
95% confidence
Finding
The age framework explicitly includes minors such as '萝莉(12-15)' alongside appearance and vibe attributes, and elsewhere the skill is designed for poster/cosplay prompt generation with autonomous filling of visual details. In this context, providing reusable templates for underage character depiction creates a meaningful risk of sexualized or fetishized minor-image generation, especially because the skill also supports style, costume, mood, and body/face specification.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal