ClawHub

Home Buying

Security checks across malware telemetry and agentic risk

Overview

This skill is a local home-buying decision helper that discloses its note storage and does not show hidden execution or data sharing.

Install only if you are comfortable with local notes about your budget, financing posture, properties, offers, and closing checklist being saved under ~/home-buying/. Do not store account numbers, identity documents, lender credentials, or other secrets there, and remove the folder when you no longer need the history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation condition is overly broad because it can trigger on any discussion of buying a home, mortgage decisions, offers, or closing, even when the user may not want this skill engaged. Unintended invocation can cause unnecessary persistence of context, inappropriate steering of the conversation, or accidental collection of sensitive financial and housing-related information in situations where the user did not explicitly opt in.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to store user preferences and purchase-related context in a local memory file, but it does not clearly require a user-facing disclosure or consent before persistence. In a home-buying context, even 'baseline' data like geography, budget ceilings, financing posture, and risk tolerance can be privacy-sensitive and may expose financial profile information if stored unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal