ClawHub

Clickbait Engine

Security checks across malware telemetry and agentic risk

Overview

This is a text-only clickbait writing aid with reputational accuracy risks, but no hidden system access or executable behavior.

Install only if you intentionally want clickbait-style drafting. Review outputs for truthfulness before publishing, and avoid using it for factual, legal, medical, financial, reputationally sensitive, or brand-sensitive communications where misleading framing could cause harm.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list is broad enough to activate on generic content-creation terms such as 'title,' 'hook,' and 'caption,' which increases the chance the skill is invoked outside narrow clickbait use cases. In practice, that can cause an agent to apply manipulative or sensationalized behavior to ordinary writing tasks, creating reputational and trust risks across unrelated contexts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These instructions explicitly teach the model to maximize curiosity gaps and withhold clarifying information in titles, pushing output toward deliberately misleading framing. Even without direct fraud, this encourages deceptive content generation that can misrepresent facts, damage credibility, and create platform-policy or brand-compliance issues.

Missing User Warnings

High
Confidence
99% confidence
Finding
The instruction that 'headlines have NOTHING to do with the actual video' is an explicit endorsement of deceptive misrepresentation. This materially increases risk because it directs the system to generate knowingly false or unrelated captions, which can be used for audience manipulation, reputational harm, and possible policy or consumer-protection violations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal