ClawHub

Clawvicular

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent about its files and web searches, but it can generate casual public posts from self-harm slang and detailed drug-regimen content without safety guardrails.

Install only if you are comfortable reviewing edgy looksmaxxing content before it posts. Before enabling the cron or channel announcements, remove or quarantine suicide-related slang and dangerous drug/body-modification material, or add explicit rules that prevent the agent from casually repeating, normalizing, or promoting those topics.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to persistently modify local files by updating `state/sent-terms.json` and appending discovered URLs to `references/sources.md`, but it does not clearly warn the invoking user that running the skill changes local state. This creates an integrity and privacy risk because routine invocations cause silent accumulation of data and durable filesystem changes beyond the immediate output.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill requires web searches, mandatory inclusion of external source URLs, and logging of every discovered URL into a persistent archive, yet the description gives no privacy or network activity warning. Users may not expect that invoking a novelty content skill will trigger outbound research and permanent storage of third-party links, which can expose browsing intent and create unnecessary data retention.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section presents an extensive drug and enhancement regimen, including methamphetamine, steroids, peptides, and off-label pharmaceuticals, in a matter-of-fact reference style without an explicit warning not to imitate it. In the context of a youth-oriented 'looksmaxxing' skill with Gen Z energy, this can normalize or indirectly promote dangerous substance use and self-medication to a vulnerable audience.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This portion references unsafe beauty practices such as bonesmashing and related self-modification themes without clear safety framing or warnings. Because the skill centers on looksmaxxing slang and lore, readers may interpret these practices as part of an aspirational toolkit rather than as harmful or disputed behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This entry normalizes self-harm-adjacent slang ('ropemaxxing') with only a brief note that it is 'used ironically,' but without any visible safety disclaimer, crisis guidance, or moderation framing. In a youth-oriented, slang-explainer skill with 'Extremely online Gen Z energy,' this can desensitize users to suicidal language and make harmful ideation easier to joke about, repeat, or escalate.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document describes dangerous appearance-modification practices like 'bonesmashing' in a glossary format without a clear safety warning at the top, which can make hazardous behavior appear like just another optimization technique. Because the skill is themed around looksmaxxing culture, users may interpret these terms as actionable or community-validated rather than fringe and unsafe.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal