ClawHub

Zucked

Security checks across malware telemetry and agentic risk

Overview

This is a text-only book companion skill with broad conversational triggers and promotional formatting, but no code, credential use, data access, or hidden high-impact behavior.

Before installing, expect this skill to be opinionated and to activate on broad social-media topics such as Facebook, Instagram, mental health, privacy, and regulation. It should be treated as a Zucked-based advocacy and education aid, not as neutral medical, legal, or policy advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list is extremely broad and includes many common phrases and topic mentions like 'Facebook', 'mental health', and 'regulation', which can cause the skill to activate in ordinary conversations where the user did not request this specific skill. Because the skill also instructs proactive presentation of a long onboarding flow, unintended invocation can steer conversations, override user intent, and expose users to unsolicited persuasive or advocacy content.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill directs the AI to proactively present the entire Quick Start immediately on first load, without notice or confirmation from the user. This creates an interruption/consent issue: the skill may inject substantial content into the conversation unexpectedly, which can confuse users and make the system feel like it is acting on its own behalf rather than the user's request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal