ClawHub

Anti-Pattern Czar

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent TypeScript code-maintenance helper, with disclosed local scanning, source edits, and state tracking that fit its stated purpose.

Install only if you are comfortable running the external bunx antipattern-czar package on your repository. Use a clean git working tree, review all diffs after REVIEW or AUTO mode, run tests before committing, and delete or ignore .anti-pattern-state.json if it contains sensitive code snippets or should not be shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The mode-selection table uses very broad natural-language triggers such as "scan," "find," "fix," and "continue," which can easily appear in ordinary conversation and cause unintended skill activation or incorrect mode selection. In an autonomous or semi-autonomous agent context, accidental invocation can lead to unplanned repository scanning, state-file access, or code modification workflows being initiated without clear user intent.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill description advertises generic trigger phrases like "scan for anti-patterns," "fix error handling," and "check error handling," which are common enough to match routine user requests not intended for this specific skill. Because the description is often used by orchestrators for routing, ambiguous phrasing increases the chance that the skill is selected inappropriately and then performs analysis or fix workflows on the wrong task.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The REVIEW/AUTO/RESUME/REPORT workflows define behavior after a mode is invoked, but they do not clearly constrain when those modes may be entered or provide exclusion examples to prevent accidental triggering from ambiguous user requests. In an agent setting with persistent state and code-editing capabilities, underspecified mode selection can cause unintended review, resume, or auto-fix actions on a codebase, increasing the risk of unauthorized or surprising modifications.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal