ClawHub

James

Security checks across malware telemetry and agentic risk

Overview

This appears to be a conversational, book-oriented skill with broad invocation wording but no evidence of hidden code, credential use, persistence, or harmful actions.

Before installing, understand that this skill may activate for broad conversations about perspective, narrative, allyship, or identity. That is not inherently unsafe, but users who want tight control should prefer a version with more explicit trigger conditions and non-trigger examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
97% confidence
Finding
The activation phrases include broad conversational statements such as 'I need to tell my own story,' 'There's another side to this story,' and a catch-all mention of generic terms like 'perspective' and 'narrative.' These lack clear scope constraints or exclusion conditions, so the skill could activate during many unrelated conversations.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The phrase 'I'll show up whenever I sense this book could help' does not define what signals qualify for invocation or what boundaries prevent activation. This creates unclear trigger behavior and increases the chance of unintended invocation.

Vague Triggers

Low
Confidence
85% confidence
Finding
This markdown file lists invocation-like scenarios such as "I want to be a good ally" and "I feel like I have to perform a version of myself at work," which overlap with common everyday speech. The file does not provide constraints, explicit trigger phrases, or negative examples clarifying when these scenarios should or should not activate a skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal