ClawHub

Find Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed skill finder and installer, but it has broad automatic triggers and can search external services, use GitHub credentials, run npx commands, and install third-party skills into persistent agent directories.

Install only if you want a skill broker that can search several external marketplaces and install third-party skills. Before using it, avoid sensitive task descriptions, do not expose a broad GitHub token, review each recommended source manually, and require confirmation before any download, clone, npx command, or write into your active skills directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to read and use the GITHUB_TOKEN environment variable to authenticate outbound GitHub API requests. Even if the token is only sent to api.github.com, this expands the skill's access to sensitive credentials and normalizes secret use during routine discovery, increasing the blast radius if the skill logic is later altered or if requests are redirected or logged.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The fallback search path invokes npx-based package execution commands during a discovery workflow, which is riskier than simple search because it can download and run remote package code. This creates a supply-chain and arbitrary code execution path unrelated to merely recommending skills, and users are not clearly warned that search may trigger executable package retrieval.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The README advertises very broad natural-language triggers such as describing a general goal ('我想做一个海报', '帮我分析股票') to activate skill discovery. That can cause unintended invocation in ordinary conversation, especially because the skill also performs discovery and installation actions, increasing the chance of unexpected external lookups or follow-on installation flows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes one-click installation from multiple sources including GitHub and third-party markets, but it does not warn about trust, verification, or provenance risks. In this skill's context, that is more dangerous because the skill is explicitly a discovery-and-install broker, so weak trust messaging can funnel users toward unreviewed code from external ecosystems.

Vague Triggers

High
Confidence
95% confidence
Finding
The skill description claims broad automatic activation for common natural-language requests such as wanting to do a task or find a tool, making it likely to trigger on ordinary conversations. Because the skill performs local scanning, remote searches, and installation logic, overbroad triggering can cause unexpected external requests and filesystem-affecting behavior without a narrowly scoped user intent.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger reference section defines ambiguous activation phrases like '我想做XXX' and '有没有能XXX的工具', which overlap with many normal user requests. In context, that ambiguity is dangerous because activation leads into multi-source scanning and potentially remote search/install behavior, far beyond simple conversational assistance.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs automatic remote queries to multiple third-party services using user-derived keywords, but does not clearly warn that user requests will be transmitted externally. This can leak sensitive or proprietary task descriptions to external APIs and repositories, especially because the skill is designed to activate from broad natural-language prompts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The one-click installation workflow performs downloads, archive extraction, git clone operations, symlink creation, and writes into persistent skill directories without a strong warning about filesystem modification and external code intake. This is dangerous because a recommendation skill becomes an installer for untrusted third-party content, creating supply-chain, persistence, and possible later-execution risks.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal