ClawHub
Back to skill

Security audit

ia-tailwind-css

Security checks across malware telemetry and agentic risk

Overview

The only raised issue appears to be a hidden Markdown comment used as a placeholder, not a harmful instruction or hidden runtime behavior.

This looks acceptable to install based on the supplied signals. The main thing to know is that SPEC.md contains a non-rendered TODO comment, so users or maintainers may want it cleaned up for transparency, but there is no evidence that it changes runtime behavior or asks for sensitive access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Hidden Instructions

High
Category
Prompt Injection
Content
Out of scope:
- Acting as the runtime instructions themselves (those live in `SKILL.md`).
- Trigger phrasings already covered by adjacent `ia-*` skills (`validate-plugin` flags >70% description overlap as DUPLICATE_TRIGGER).
- <!-- to fill in: domain-specific exclusions when the skill drifts -->

## Trigger Context
Confidence
70% confidence
Finding
<!-- to fill in: domain-specific exclusions when the skill drifts --> ## Trigger Context - Class: `language` - Hook regex: `plugins/whetstone/hooks/skill-patterns.sh` -> `SKILL_PATTERNS[ia-tailwind-

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal