ClawHub

SKILL para FacturaScripts

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only FacturaScripts development skill, but users should be careful with its broad activation wording and write-capable ERP API examples.

Install this as FacturaScripts reference material, not as an automation authority. Use scoped API keys, keep real tokens out of prompts and source code, test generated API or MCP code in staging first, and require explicit human review before creating invoices, changing stock or accounting data, or deleting ERP records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README instructs automatic use of the skill whenever broad FacturaScripts-related terms are mentioned, which creates an overbroad activation condition. This can cause the agent to load and rely on a large, externally authored code-generation skill in contexts where it is only tangentially relevant, increasing prompt-injection surface and the chance of unsafe or policy-bypassing guidance being introduced into unrelated tasks.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill activation scope is excessively broad and instructs use 'SIEMPRE' for many loosely related ERP and coding tasks, which can cause the wrong skill to be invoked outside its safe, intended context. Overbroad routing increases the chance that irrelevant or lower-trust guidance is applied to user requests, leading to context confusion, bad code suggestions, or unintended access to sensitive workflow domains such as accounting, invoicing, and API integration.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list includes generic names like Producto, Cliente, Proveedor, ListController, EditController, and PanelController, which are common across many business apps and frameworks. This ambiguity can misroute unrelated development tasks into this skill, causing inappropriate instructions or assumptions to be applied in contexts where they do not belong.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal