ClawHub

gstack Office Hours

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only product brainstorming skill, but it can inspect repository context and save its design output for future sessions.

Install this only if you are comfortable with the agent using repository and git-history context during product discussions and saving the resulting design document to memory. Avoid using it in repositories with secrets, sensitive history, or confidential product plans unless you can prevent persistence or review what is stored.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

High
Confidence
95% confidence
Finding
The manifest description includes broad trigger phrases like 'help me think through this' and 'I have an idea,' which are common in ordinary conversation and can cause the skill to activate unintentionally. Over-broad auto-invocation is risky because it may steer unrelated sessions into this skill's workflow, including repository inspection and memory persistence behaviors the user did not explicitly request.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to read the workspace, inspect git history, search the codebase, and later save a design document to memory, but it does not require explicit user consent or provide a warning about data access and persistence. This creates a privacy and data-governance risk because sensitive source code, commit history, or proprietary project context could be accessed and retained unexpectedly.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal