ClawHub

Self-Improving Negotiation

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed negotiation logging and reminder skill; its optional prompt hook is broad, but the inspected artifacts only emit reminders and create local markdown/scaffold files when explicitly configured or run.

Install this if you want persistent local negotiation improvement notes. Enable the optional hooks deliberately, because the prompt hook example can fire on unrelated prompts and the Bash hook checks command output for negotiation keywords. Avoid storing confidential deal terms, pricing, legal positions, or counterparty details unless the workspace access controls and retention policy are appropriate.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The empty `matcher` under `UserPromptSubmit` makes the hook eligible on every user prompt, not just negotiation-related ones. Overly broad activation can leak context into unrelated sessions, create noisy or manipulative reminders, and increase the chance of unintended file writes or downstream script execution paths.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The empty matcher for the `UserPromptSubmit` hook causes the activator script to run for every submitted prompt, not just negotiation-related interactions. This broad trigger expands the skill's influence across unrelated workflows and increases the chance of unnecessary prompt injection, accidental information exposure to the hook process, or misuse if the script is later modified or compromised.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal