ClawHub

Opus 4.6 Quality Certification

Security checks across malware telemetry and agentic risk

Overview

This skill looks like a local mock certification tool that presents itself as an official ClawHub security and quality authority, so users could be misled by its results.

Only install this if you treat it as a demo or placeholder. Do not rely on its audit scores, certified-skill list, application IDs, or review status as real ClawHub certification unless ClawHub independently confirms the publisher and program.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill presents itself as an official certification and security auditing tool, but the finding indicates its behavior is simulated, hardcoded, or fabricated rather than performing real verification. In a trust and compliance context, this can mislead users into relying on false security or quality assurances, causing unsafe skills to be accepted or promoted.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The tool advertises auditing and certification but computes results using Math.random(), so it can produce favorable security/quality outcomes without analyzing the target skill at all. This is dangerous because users may rely on false audit results to trust or deploy unsafe skills, creating a supply-chain style trust failure.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The header and description present this as an official certification program, yet the implementation is only a mock/simulation. Misrepresenting a fake or non-functional security/certification authority can mislead users into trusting skills that were never genuinely reviewed.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The self-assessment claims to help evaluate the current skill, but it generates yes/no answers randomly instead of asking the user or inspecting the project. This can produce misleading readiness scores and encourage submission or trust based on fabricated results.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal