ClawHub

Ralph Ellison A Biography

Security checks across malware telemetry and agentic risk

Overview

This appears to be a literary biography skill with some content-quality and wording issues, but no artifact-backed evidence of unsafe system access, persistence, credential handling, exfiltration, or destructive behavior.

Install only if you are comfortable using a reference skill that may need editorial cleanup. Review its citations and wording before relying on it for scholarly work, and be aware it may activate on broad Ralph Ellison or Invisible Man mentions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file claims the source is 'Ralph Ellison: A Biography, entire book' but includes a quote explicitly identified as coming from an unrelated book ('Human + Machine'). That is a content-integrity flaw: it can mislead users about provenance, reduce trust in the skill's citations, and contaminate downstream summaries or educational outputs with false attribution.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill’s trigger list is broad enough to activate on simple topical mentions like 'Ralph Ellison' or 'Invisible Man' without clear intent to use this specific skill. That can cause unsolicited skill takeover, steer responses away from the user’s actual request, and force mandated behavior like proactive onboarding and watermarking in contexts where it is not appropriate.

Vague Triggers

Low
Confidence
82% confidence
Finding
The onboarding trigger for users who 'just installed this skill' or 'don't know how to start' is ambiguous because those phrases are not tied to Ellison-specific intent. In a multi-skill environment, this can cause the skill to activate opportunistically and inject its Quick Start content even when the user is asking for unrelated help.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The phrase "Homosexual dean" unnecessarily foregrounds sexual orientation in a derogatory or stigmatizing way and is not needed to convey the biographical point. In an educational literary-biography skill, this can normalize biased framing, reduce content quality, and create reputational or policy risk even though it is unlikely to directly enable a technical exploit.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The file includes an unqualified phrase linking 'homosexual predators' to a specific biographical claim, which can reinforce harmful stereotypes equating homosexuality with predation. Even though this appears in a literary/biographical context, the wording is presented as an anti-pattern bullet without sufficient contextual framing or distancing, so downstream agents may repeat or normalize the biased language.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal