ClawHub

100m Offers

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed business-coaching skill with somewhat broad activation wording, not a skill that performs hidden actions or accesses sensitive systems.

Safe to install as an advisory business skill. Expect it to provide offer/pricing/customer-acquisition guidance, and consider narrowing or disabling broad trigger phrases if you do not want it appearing in ordinary business conversations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases are broad business terms such as pricing, revenue, customer acquisition, and sales conversion, which are likely to appear in many ordinary conversations. This can cause the skill to activate outside its intended scope, increasing the chance of unsolicited guidance, context hijacking, or interference with a more appropriate skill chosen for the user's actual request.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The instruction that the skill will show up whenever it 'senses this book could help' defines activation in a subjective and unconstrained way. Ambiguous activation criteria can lead to over-triggering, making the assistant inject this skill into unrelated conversations and reducing user control over when specialized content is introduced.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list includes very generic business phrases such as "Increase revenue," "Customer acquisition," "Sales conversion," and "Pricing strategy," which are likely to match many ordinary business queries unrelated to this specific skill. Over-broad activation can cause the wrong skill to intercept requests, leading to misrouting, inappropriate advice injection, and reduced trust in the agent’s behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal