Security audit

clawhub

Security checks across malware telemetry and agentic risk

Overview

This looks like a normal local toolkit for creating skills, but its listing declares unrelated crypto and purchase capabilities that do not fit the files.

Install only if you intend to use a local skill-building toolkit. Run the bundled scripts in a dedicated workspace, review generated files before packaging or sharing them, and verify why the listing claims crypto and purchase capabilities even though the artifacts do not use them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The description is broad enough to trigger on many generic requests about creating or updating skills, causing the agent to load guidance that includes file modification, script execution, and packaging behavior. Over-broad triggering increases the chance of the skill activating in contexts where those actions are unnecessary or unsafe, expanding the attack surface for prompt-induced misuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.