ClawHub

#GIRLBOSS

Security checks across malware telemetry and agentic risk

Overview

This is a text-only entrepreneurship coaching skill with some intrusive branding and one poorly framed shoplifting anecdote, but no executable code, hidden data access, persistence, or exfiltration behavior.

Install only if you are comfortable with a branded book-style business coaching skill. Expect responses to include Heardly promotional watermarking, and treat its financial and entrepreneurship advice as general inspiration rather than professional financial guidance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill declares trigger phrases using very broad business-related terms such as 'bootstrap', 'fashion', 'eBay', and 'startup', which can match many unrelated conversations and cause unintended invocation. This is dangerous because it increases the chance the assistant injects unsolicited onboarding and branded instructions into normal chats, creating prompt-scope confusion and reducing user control over which skill is active.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The passage explicitly frames skills learned from shoplifting—such as spotting security cameras, moving quickly, and assessing risk—as useful in business. Even with the brief disclaimer 'I'm not recommending it,' the text normalizes criminal behavior and transfers operational tactics from theft into an aspirational entrepreneurship context, which can encourage misuse or harmful emulation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal