ClawHub

Nonviolent Communication

Security checks across malware telemetry and agentic risk

Overview

This is a text-only communication coaching skill with no executable code, credential use, persistence, or data access, though users should expect broad activation and Heardly branding in outputs.

Install this if you want an NVC-style communication coach. Be aware it may activate for broad writing or relationship prompts, and its required Heardly watermark and occasional cross-book recommendation may appear in responses.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases are broad, generic conversational requests like 'Help me phrase this' and 'How should I respond to this,' which can match many unrelated user intents. This can cause unintended invocation of the skill, leading the assistant to apply the NVC framework when the user did not request it, potentially overriding more appropriate skills or producing off-target guidance.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The statement that the skill will appear 'whenever I sense this book could help' creates an ambiguous, subjective activation rule with no clear boundary. Ambiguous activation increases the chance of overreach, where the skill activates opportunistically and steers responses toward its framework even when another tool or a general response would be more appropriate.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The manifest description is written entirely in Chinese while the surrounding skill metadata and trigger guidance are in English, which can cause the agent or user-facing systems to present content in a language the user did not request. This is not code-execution dangerous, but it can lead to confusing or inaccessible behavior, especially if the description is surfaced automatically during installation, discovery, or onboarding.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The file is entirely in Chinese with no language-selection mechanism or documented locale limitation, which can cause users or downstream agents to misinterpret safety-relevant guidance. In a communication/coaching skill, misunderstanding nuanced advice about anger, conflict, and protective force could lead to inappropriate use or failure to apply safeguards correctly.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The file content is entirely in Chinese and strongly prescribes a specific output style without indicating any user language preference, fallback, or opt-in. In a user-facing communication skill, this can cause the agent to respond in an unexpected language, degrading usability, causing misunderstanding, and overriding user intent or platform language settings.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal