ClawHub

Gr Core

Security checks across malware telemetry and agentic risk

Overview

This growth-routing skill is mostly coherent, but it tells agents to check API keys from environment variables, local files, and memory before routing to child skills without clear user consent or scope limits.

Review this before installing if your workspace contains API keys, Railway variables, or MEMORY.md entries with credentials. Use it only where you are comfortable with growth sub-skills checking credentials for the current task, and prefer requiring the agent to ask before reading or using any secret source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description uses very broad natural-language trigger examples such as '写篇博客' and '分析对手', which are common user requests and can cause this router to activate in situations where a more specific skill should be chosen directly. In an agent environment, over-broad routing increases the chance of unintended invocation paths, unnecessary access to downstream skills, and user confusion about what actions will be taken.

Vague Triggers

Low
Confidence
84% confidence
Finding
The activation guidance says to use this skill when the problem is in the 'growth' domain but the specific child skill is unclear, yet it does not define a firm boundary between invoking this router versus a child skill directly. That ambiguity can lead to inconsistent agent behavior, accidental over-routing, or routing loops/cascades in multi-skill environments.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill's top-level description is broad enough to match many ordinary growth-related prompts, which can cause the router to activate when the user did not explicitly request this skill. In a skill-routing system, overbroad activation increases the chance of unintended tool use and can cascade into downstream skills that access files, memory, or external systems.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases are ambiguous and include common conversational terms like growth strategy, which makes accidental invocation likely. Because this is a main router skill, false activations are more dangerous than in a narrow single-purpose skill: they may steer the agent into unnecessary follow-on skills and expose additional context or credentials.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to read API keys from environment variables, local files, and MEMORY.md without any user-facing consent, scope limitation, or least-privilege guidance. In an adversarial or simply over-eager routing context, this can lead to unnecessary secret discovery or propagation to sub-skills, turning routine growth questions into credential-access operations.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal