ClawHub

Creative Confidence

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only creativity coaching skill with broad activation language, but no executable code, credential access, persistence, or data-changing behavior.

Installers should expect this skill to appear around broad creativity or innovation topics and to add a Heardly watermark/CTA to outputs. Avoid installing it if you only want narrowly invoked book assistance, but there is no evidence of code execution, data access, or destructive behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are broad enough to match many ordinary conversations about creativity, innovation, or confidence, which can cause the skill to activate without clear user intent. In a general assistant environment, this increases the risk of unsolicited steering, context hijacking, and reduced reliability because the skill may intervene in unrelated discussions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The onboarding instructs the AI to proactively present the full guide on first load and says it will appear whenever it 'senses' the book could help, which encourages opportunistic activation under ambiguous conditions. This is dangerous because it promotes unsolicited content injection and can override user expectations about when the skill should engage.

Vague Triggers

Low
Confidence
84% confidence
Finding
The self-check section repeats generic trigger phrases without constraints, reinforcing broad matching behavior and making accidental activation more likely. While lower severity than the main routing and onboarding rules, it still contributes to overbroad scope and unnecessary interception of normal conversation.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal