ClawHub

TRIZ Systematic Innovation Method

Security checks across malware telemetry and agentic risk

Overview

This is a local TRIZ brainstorming/report tool with no evidence of data theft or unsafe system control, but its generated scores and “validated” labels should not be treated as real engineering validation.

Install only if you want a local TRIZ brainstorming aid. Treat its rankings, percentages, and “validated” solution labels as unverified suggestions requiring human/domain review, and note that installation adds a local triz command under your home directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code presents solution scoring and technical validation as if they were meaningful outputs, but the implementation is driven by Math.random() and hardcoded placeholder strings such as "Validated" and "Pending validation." In a decision-support skill, this can mislead users into trusting fabricated feasibility, impact, and validation results, causing poor engineering or business decisions based on non-existent analysis.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file advertises generation of 'validated innovative solutions,' but the implementation later relies on placeholder logic and random scoring rather than real validation. In a decision-support skill, this is dangerous because users may trust fabricated rigor and make engineering or product decisions based on non-deterministic, unverified output.

Intent-Code Divergence

Low
Confidence
98% confidence
Finding
The evaluation function claims to assess multiple solution dimensions 'as specified,' yet it assigns arbitrary random values and labels technical validation as 'Validated.' This can mislead users into believing outputs are reproducible and technically grounded when they are effectively synthetic scores, creating unsafe reliance risk in product or engineering planning.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation criteria are broad enough to match generic engineering and product-development conversations, which can cause the skill to trigger outside of clear user intent. That increases the chance of inappropriate invocation, context hijacking, or the model steering users into this workflow when they did not request TRIZ-specific assistance.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation rules are broad enough to match many ordinary engineering or product discussions, which can cause the skill to activate outside its intended context. This increases the chance of irrelevant takeover of user interactions, reduced routing precision, and unexpected behavior that may suppress more appropriate skills or workflows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal