ClawHub

Drawing

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only drawing helper whose local preference memory is disclosed and purpose-aligned, though users should be aware it may remember drawing defaults.

Install if you want help generating children's drawing and coloring-page prompts. Before using it, consider telling the agent whether it may remember drawing preferences, child age bands, style choices, or activation behavior, and review or clear ~/drawing/ if you want to reset those notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The skill instructs the agent to save activation preferences in the user's main memory, introducing persistence beyond the immediate image-generation task. Even though the data is relatively low sensitivity, storing it without explicit need, consent, or retention boundaries creates an unnecessary privacy and scope-expansion risk.

Context-Inappropriate Capability

Low
Confidence
91% confidence
Finding
This section directs the agent to keep reusable profile notes such as age bands, style preferences, constraints, and recurring series anchors for future use. That creates a persistent user-profile layer not strictly required for a single drawing request and can accumulate behavioral or child-related information over time without transparency.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation criteria are broad enough to match many ordinary requests involving drawings, worksheets, or printable activities, which can cause the skill to engage outside the user's clear intent. Over-broad triggering increases the chance that the skill's memory and guidance behaviors are applied unexpectedly, compounding privacy and scope-control concerns.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instruction to save preferences in main memory is not paired with any user-facing disclosure, consent flow, or explanation of persistence. Hidden persistence undermines user expectations and can lead to silent collection of preference data across sessions, which is a privacy and trust issue even if the content seems harmless.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes internal storage of multiple user attributes and recurring constraints without warning the user that this data may persist. Because the stored information can include age-related preferences and repeated behavioral patterns, the lack of transparency increases privacy risk and makes the skill more dangerous than a stateless drawing helper.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal