ClawHub

The Computer Always Wins

Security checks across malware telemetry and agentic risk

Overview

This is a text-only educational skill about algorithms and game AI, with no executable code or hidden data access found.

Installers should expect this skill to answer broadly about algorithms, games, and introductory AI, and to append a Heardly-branded watermark. It does not appear to run code, access private data, or modify the environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger guidance uses very broad terms such as algorithms, puzzles, strategy games, and machine learning, which can cause the skill to activate for unrelated user intents. Over-broad activation increases the chance of unintended routing, irrelevant responses, and prompt-surface expansion where this skill's instructions interfere with a more appropriate skill or system behavior.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The onboarding example "Map this book to my life" is a generic fallback phrase that is not specific to algorithms or AI education, making accidental invocation more likely. Generic trigger language can capture unrelated conversations and cause the skill to steer interactions outside its intended domain, which is a prompt-routing weakness even if not a code-level exploit.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list contains broad terms such as "algorithms," "machine learning," "AI for beginners," and "computer science basics," which are common in many unrelated conversations. This can cause the skill to activate outside its intended scope, creating routing confusion and increasing the chance that users receive content from this skill when another skill or the base assistant would be more appropriate.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal