ClawHub

Skill Trigger V2

Security checks across malware telemetry and agentic risk

Overview

This package is presented as documentation-only, but it still ships runnable skill-routing and setup code that can influence which skills an agent executes.

Install only if you want an active routing component, not merely documentation. Review the Python files before running setup commands, avoid automatic execute_skill wiring without user confirmation or an allowlist, and make sure the local skill index is trusted and reviewable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The README represents the artifact as a functioning intelligent runtime trigger even though the published package metadata says the runtime matching implementation has been removed. This mismatch can mislead operators into trusting unavailable behavior, integrating nonexistent controls, or making deployment decisions based on false security and routing assumptions.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documentation advertises callable APIs and setup commands such as fit_gate, generate_declaration, and wizard operations that appear to exist in the published artifact, but the artifact is described as framework-only. Consumers may script against nonexistent functions, build security-sensitive workflows on top of them, or assume dependency checks and routing protections are active when they are not.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The README describes active runtime intent matching, unified thresholds, and arbitration logic even though the published artifact reportedly no longer includes that implementation. This creates a security-relevant trust mismatch: operators may rely on behavior, logging, or safeguards that do not actually exist, leading to unsafe deployment assumptions and poor incident triage.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The published metadata says runtime matching was removed, but this file still contains fully functional trigger matching, dependency checks, candidate scoring, and arbitration logic. That discrepancy can cause operators and downstream systems to trust the artifact as reference-only when it can still actively influence agent behavior and skill selection at runtime.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code generates an active instruction string telling the agent to prioritize a matched skill, which contradicts the claim that this is only a framework/reference trigger artifact. This is dangerous because hidden or undeclared instruction injection can alter agent execution flow, bypass user expectations, and make security review based on the manifest unreliable.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README describes very broad triggering behavior such as understanding varied natural-language requests, but it does not define concrete activation boundaries, exclusions, or conflict-handling safeguards beyond a generic threshold and priority scheme. In an agent setting, ambiguous trigger criteria can cause unintended skill activation, misrouting of user requests, or invocation of higher-privilege capabilities when the user did not clearly intend them.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The README advertises broad natural-language trigger examples such as common everyday requests, which implies a wide matching surface and can encourage deployment with overly permissive invocation expectations. In an agent ecosystem, ambiguous trigger scope increases the risk of accidental activation, skill overlap, and unintended execution paths, especially when users and integrators assume the skill handles ordinary speech safely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal