ClawHub

Super Spec

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed, instruction-only workflow helper for guided software planning, with no code execution, credential access, or hidden data handling found.

Install this if you want a Chinese-language workflow launcher for Superpowers plus spec-kit. Review the two linked dependency repositories before copying them into `.claude/skills/`, and invoke this skill explicitly, such as with `/super-spec`, to avoid ordinary “start” or “continue” messages being interpreted as workflow commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill defines broad activation behavior around generic user inputs like “开始” and “继续,” which can cause the skill to take over ordinary conversation without a clear, scoped invocation boundary. In an agent environment, ambiguous triggers increase the chance of unintended workflow steering, causing the assistant to initiate dependency-checking and multi-step guidance when the user did not explicitly request this skill.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The interaction rules are ambiguous about when the skill should activate versus when the assistant should remain in normal conversation mode. Because the skill maps common phrases and broad user states to workflow progression, it can inappropriately capture unrelated exchanges and redirect the session into a predefined development process.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill mandates Chinese output without checking the user's language preference or documenting that Chinese is strictly required for safe or correct operation. This can reduce user comprehension, increase the chance of misunderstanding workflow or installation guidance, and make the skill less accessible in multilingual environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal