ClawHub

Generate project documentation

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-generation skill that clearly fits its purpose and writes expected Markdown files under docs/.

Install only if you want an agent to read project files and generate or update Markdown documentation under docs/. Review any overwrite choice carefully, run it on a branch if existing docs matter, and confirm Chinese documentation is acceptable for your project.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly writes generated files into `docs/` and later describes overwrite behavior, but the top-level description does not clearly warn that running it will create or replace files in the repository. This can cause unexpected file modification or loss of existing documentation, especially because the skill is designed to operate over the whole project and use subagents to write multiple files.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The guardrail mandates Chinese output without asking the user for language preference. While this is not a classic security exploit, it can mislead users, reduce reviewability, and create operational risk if maintainers expect documentation in another language and approve changes they cannot easily validate.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The prompt explicitly instructs the agent to use the Write tool to create files under docs/ without any user-facing disclosure, confirmation step, or mode distinction between analysis and modification. In an agent setting, silent repository writes can cause unexpected workspace changes, pollute commits, or overwrite existing documentation, especially when this prompt is executed automatically across arbitrary projects.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal