ClawHub

Algorithms To Live By

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only decision-advice skill with broad onboarding and promotional wording, but no executable behavior, data access, persistence, or hidden authority.

Installers should expect this skill to answer broadly framed decision-making and productivity questions and to append Heardly branding to outputs. Use it as educational guidance, not as a substitute for professional financial, medical, legal, or relationship advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list is broad enough to match common phrases like "time management," "better decisions," or users saying they just installed the skill, which can cause the skill to activate in conversations where the user did not explicitly request it. In this skill, unintended invocation is made more risky by the instruction that the AI MUST proactively present the entire Quick Start, increasing the chance of unsolicited content injection and degraded user control.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The statement that the skill will appear whenever it "senses this book could help" creates an ambiguous, subjective activation boundary rather than a deterministic trigger condition. That ambiguity can lead to overbroad invocation, making the assistant insert this skill's framing and mandatory watermark into unrelated interactions, which is especially problematic because the skill also instructs proactive onboarding without waiting for user request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal