ClawHub

Roast My Code

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only humorous code review skill with harsh language, but no evidence of hidden access, execution, data sharing, persistence, or credential use.

Install only if you want intentionally blunt, comedic code feedback. Avoid using it on teammates, junior developers, onboarding sessions, or workplace reviews unless everyone has opted in, and do not paste secrets, credentials, private keys, or proprietary code you would not normally share with your agent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation guidance is very broad and open-ended, which can cause the skill to trigger in inappropriate contexts such as onboarding, team settings, or random-file review without clear consent or scope limits. Because this skill is explicitly designed to produce harsh, mocking output, ambiguous activation increases the risk of unrequested abusive or unprofessional responses, especially in workplace or mixed-sensitivity contexts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The description repeatedly emphasizes 'merciless,' 'destroys,' and 'brutal' behavior without warning that outputs may be emotionally harsh or unsuitable for some users. This creates a safety and product-risk issue because users may invoke the skill expecting normal code review and instead receive hostile language that could be distressing, inappropriate for minors, or problematic in workplace settings.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal