ClawHub

Shipping Operations

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only shipping helper with disclosed local memory and no evidence of hidden execution, exfiltration, or account access.

Safe to install for advisory shipping work. Choose manual activation if you do not want it to engage broadly, and periodically review ~/shipping/memory.md for sensitive customer, account, tracking, or business details that should not be retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Low
Confidence
93% confidence
Finding
The template explicitly instructs creation of `~/shipping/memory.md`, which is a write to the user's local filesystem without any disclosure, consent flow, or indication that the skill modifies persistent state. Even though the content is operationally benign, undisclosed file creation can surprise users, create privacy concerns, and normalize unsafe agent behavior around local file access.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation criteria are intentionally broad enough to trigger on almost any shipping- or fulfillment-adjacent conversation, which can cause the skill to engage without clear user intent. In an agent system, this increases the chance of unnecessary context capture and persistence, and may lead the agent to influence decisions outside the user's expected scope.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to save user operational preferences and patterns to persistent storage without requiring clear notice or consent at the point of collection. Even though it says not to save secrets or unnecessary personal data, the stored shipping routes, carrier constraints, and incident patterns can still reveal sensitive business operations and user behavior over time.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal