ClawHub

skillnet

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed skill-management tool with broad but mostly gated network and local-library actions.

Install only if you want an agent to help manage skills. Review the skillnet-ai package origin, prefer pipx over global pip, and do not approve create/evaluate/analyze on sensitive repos, documents, or logs unless you are comfortable sending the disclosed content to the configured LLM endpoint or have set a local BASE_URL.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill is positioned to activate 'before any multi-step task,' which is overly broad for a supply-chain style tool that can search, download, create, and evaluate external content. Overbroad activation increases the chance the agent invokes networked or persistence-related workflows in ordinary tasks where they are unnecessary, expanding exposure to third-party content and data handling.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Several triggers such as 'find a skill,' 'learn this repo/doc,' and handling arbitrary GitHub URLs, PDFs, DOCX, PPTs, logs, or trajectories are broad and can match many ordinary interactions. In context, this matters because the skill can initiate external searches, process user-provided artifacts, and encourage persistence into a local skill library, so ambiguous activation can cause unnecessary data exposure or ingestion of untrusted material.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase 'understand this repo'/'learn this project' is broad enough to match common user requests and steer the agent into the SkillNet create flow, which uploads repository-derived metadata to an LLM endpoint. In a skill that is supposed to run before many multi-step tasks, this broad activation materially increases the chance of unintended data exfiltration or unnecessary persistence of third-party/project context.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The cleanup pattern allows the agent to self-trigger when it merely 'notices' a directory has more than 30 skills, which authorizes behavior without an explicit user request. Because the workflow includes analysis, evaluation, and moving skills to trash, this creates a pathway for autonomous modification of user data based on an ambiguous heuristic.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal