ClawHub

Message Injector

Security checks across malware telemetry and agentic risk

Overview

This plugin is transparent and simple, but it can silently add operator-chosen instructions to every user message across a workspace.

Install only if you intentionally want a workspace-wide prompt policy. Use it in controlled workspaces, keep the injected text visible to affected users, avoid content that overrides user intent or disables safeguards, and confirm you have a clear disable or rollback path before enabling it on shared channels like Slack, Telegram, or WebChat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly advertises that it prepends custom text to every user message across all channels, but the documentation provides no requirement for user-visible disclosure, consent, or per-channel indication that messages are being modified. Silent gateway-level modification of user input can misrepresent user intent, undermine auditability, and create a prompt-injection primitive that affects every downstream interaction.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The plugin description explicitly states it prepends text to every user message before the agent sees it, giving it a broad and powerful interception scope across all conversations. That creates a prompt-injection and policy-bypass surface because hidden instructions can be inserted into benign user input without per-message consent, visibility, or channel scoping.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The description indicates unconditional modification of every user message, with no opt-in based on user choice, language, or content context. In the stated skill context, this is especially dangerous because the metadata advertises uses such as injecting system-level instructions and persistent reminders, which can covertly steer model behavior, override safety expectations, and affect all connected channels.

Ssd 1

High
Confidence
98% confidence
Finding
The skill is explicitly designed to inject system-like instructions into every user message across channels, giving operators a mechanism to semantically override normal agent behavior at scale. This creates a powerful cross-session prompt-manipulation capability that can bypass expected trust boundaries, alter agent decisions, and facilitate coercive or deceptive behavior without user awareness.

Ssd 1

High
Confidence
99% confidence
Finding
The documentation's claim that the injection is a 'hard injection' the agent cannot skip or ignore signals intentional, durable semantic control over model behavior. In context, this increases risk because it frames the extension as a reliable mechanism for overriding safeguards or steering outputs regardless of user intent, making abuse straightforward once installed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal