ClawHub

Tvs Analyze

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward code-analysis skill with one optional local diagram command, and the artifacts do not show hidden data access, persistence, or destructive behavior.

Install this if you want Chinese-oriented explanations of codebases, structure, dependencies, and business logic. Before allowing the optional Madge command, confirm the repository and referenced local script path are trusted, because running local dependency-generation scripts can execute code in your workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to execute a local shell command (`node .claude/skills/analyze/scripts/generate-madge.mjs`) to generate dependency graphs, even though the skill’s stated purpose is analysis and summarization. Allowing command execution during a broadly triggered analysis skill expands the attack surface: a malicious repository could influence script behavior, and the agent may perform unnecessary local execution on untrusted codebases.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill description is triggered by very broad code-analysis requests, which increases the chance it will activate in contexts the user did not specifically intend. In combination with operational instructions like generating diagrams via local commands, overly broad activation can cause unnecessary access patterns or tool use across many repositories, including untrusted ones.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal