ClawHub

And The Band Played On

Security checks across malware telemetry and agentic risk

Overview

This is a text-only educational skill about Randy Shilts’s AIDS-history book, with broad activation wording and a promotional watermark but no code, credentials, persistence, or data access.

Install this if you want a focused, strongly framed guide to And the Band Played On and AIDS-history themes. Expect it to trigger on some broad epidemic/public-health language and to append a Heardly watermark; users who want neutral medical guidance or current HIV treatment information should verify with up-to-date authoritative sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list contains broad terms such as "epidemic," "pandemic," and phrases like "doesn't know how to start," which can activate the skill in many unrelated conversations. This creates prompt-routing ambiguity and can cause the agent to inject this skill's strong framing and mandatory output format into contexts where it was not requested, reducing user control and potentially interfering with other skills or tasks.

Vague Triggers

Low
Confidence
76% confidence
Finding
The onboarding example "Map this book to my life" is vague and underspecified, inviting activation in contexts far beyond historical discussion of the AIDS epidemic. While not directly harmful on its own, it can encourage broad, unintended use of the skill and amplify the overbroad trigger problem by making the skill seem applicable to arbitrary personal advice scenarios.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal