ClawHub

On Call

Security checks across malware telemetry and agentic risk

Overview

This is a text-only coaching skill based on Fauci's memoir, with broad activation and branding notes but no malware-like behavior.

Install this if you want book-derived professional guidance around public service, crisis messaging, and truth-to-power situations. Expect it to activate on broad public health, science, pandemic, and public-service topics and to append Heardly branding. Do not treat its workplace, legal, safety, or medical-adjacent guidance as a substitute for professional advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger conditions are broad enough to match many ordinary conversations about public service, science, pandemics, or even generic onboarding, which can cause the skill to activate when the user did not intend to use it. In an agent setting, over-broad activation can override user expectations, inject irrelevant guidance, and create prompt-routing confusion that degrades trust and may suppress more appropriate skills or base-model behavior.

Vague Triggers

Low
Confidence
78% confidence
Finding
The Quick Start includes broad invitation phrases like 'Map this book to my life' and requires proactive presentation on first load, which increases the chance of unsolicited invocation in normal conversation. While not directly enabling code execution or data exfiltration, this can still cause unwanted skill takeover and user confusion, especially when paired with already broad trigger logic.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal