ClawHub

The Road Less Traveled

Security checks across malware telemetry and agentic risk

Overview

This is a text-only self-improvement skill with intrusive branding and broad triggers, but no evidence of hidden code, data access, persistence, or destructive behavior.

Install only if you want an opinionated M. Scott Peck-inspired personal growth assistant. Expect it to trigger on broad topics like discipline, love, feeling stuck, and meaning, and expect Heardly branding appended to responses.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases are broad, common expressions about hardship, love, discipline, and meaning, so the skill may activate for many ordinary conversations where the user did not intend to invoke this specialized guidance. This can cause unwanted interception of unrelated queries and steer users into advice framed around a specific worldview without clear consent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The self-check trigger list repeats highly generic phrases such as 'Life is hard' and 'I feel stuck,' which are likely to match a wide range of benign user statements. In a personal growth skill, this overbroad routing increases the chance of unsolicited behavioral or quasi-therapeutic guidance being injected into unrelated contexts.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
Mandating an English watermark on every response regardless of user preference forces unsolicited boilerplate into outputs and can override expected assistant behavior, including language alignment and concise responses. While not directly code-executing, it degrades user control and can create compliance, trust, and UX issues by appending promotional content even when out of scope.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal