ClawHub

First Class

Security checks across malware telemetry and agentic risk

Overview

This is a text-only political and policy skill about the USPS that is disclosed as advocacy and does not request system access, credentials, or execution authority.

Install this only if you want an advocacy-framed assistant for USPS and public-service policy topics. Expect proactive onboarding and a Heardly watermark in responses, and verify current USPS law, pricing, and election-related facts because the source framing is from a 2021 book.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list is broad enough to activate on generic terms like 'USPS', 'postal service', 'public services', or when a user says they just installed the skill or does not know how to start. This can cause unintended invocation in unrelated conversations, increasing the chance the skill injects its political framing or onboarding text without clear user intent. In this context, the risk is amplified because the skill is advocacy-oriented and includes instructions to proactively present content on first load.

Vague Triggers

Low
Confidence
79% confidence
Finding
The example phrase 'Map this book to my life.' is a vague catch-all invocation that does not constrain topic, task, or safety boundaries. If used as an activation exemplar, it can encourage over-triggering or broad personalized responses even when the user has not clearly requested USPS-related analysis. In this skill, that mainly creates unwanted invocation and scope creep rather than direct code-execution or data-exfiltration risk.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The file defines broad, natural-language activation examples such as concerns about USPS, rural closures, voting, and privatization without clear boundaries or exclusion criteria. This can cause over-triggering in unrelated political, civic, or general-interest conversations, leading the agent to inject persuasive or agenda-bearing content outside the user’s actual intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal