ClawHub

Make Html

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed HTML artifact generator with broad default activation, but no evidence of hidden execution, exfiltration, destructive behavior, or privileged access.

Install this if you want substantial responses to become local, self-contained HTML pages by default. Be explicit when you want Markdown, JSON, plain text, or a short chat answer, and review generated HTML before sharing it if it contains sensitive project content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The default-invocation guidance is aggressive and ambiguous, encouraging the skill to activate for a wide range of 'substantial' outputs without a precise boundary. In practice this can lead to unwanted behavior changes, excessive artifact generation, and increased attack surface if user-supplied content is embedded into HTML/JS outputs by default.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The default-invocation guidance is aggressive and ambiguous, encouraging the skill to activate for a wide range of 'substantial' outputs without a precise boundary. In practice this can lead to unwanted behavior changes, excessive artifact generation, and increased attack surface if user-supplied content is embedded into HTML/JS outputs by default.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The guidance treats many ordinary phrasing patterns such as 'Plan this', 'Review this', and 'Summarize the state' as automatic triggers for HTML generation, even when the user did not request that format. This can cause the skill to activate too broadly, override user expectations, and increase the chance of producing unnecessary rich artifacts that may embed more complex content than needed.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The file establishes a default to 'use HTML aggressively' and to assume browser-native artifacts are more useful for substantial deliverables without defining strict limits. In an agent setting, this ambiguous default can lead to unintended activation for routine requests, making outputs less predictable and potentially expanding the attack surface through unnecessary interactive or self-contained HTML generation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal