ClawHub

MdSpliter

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Markdown knowledge-file organizer that can create local chunk and index files but does not show hidden, destructive, or data-stealing behavior.

Install only if you want help organizing Markdown knowledge files. Before letting it modify content, confirm the exact knowledge folder, review generated chunks and INDEX.md, and avoid pointing it at sensitive documents unless you intentionally want them indexed for future agent use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes generic phrases like "load full file" and "chunk knowledge," which can plausibly appear in ordinary user requests outside the intended narrow context. Overly broad activation conditions can cause the skill to fire unexpectedly, influencing routing or behavior when unrelated tasks are being performed. In this skill, the content is not directly executing code or handling secrets, so the security impact is limited but still real as a prompt/behavior hijacking surface.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The Gene's signals_match list uses broad phrases such as "knowledge too large" and "load full file" without clear scope, approval, or repository boundaries. That can cause the skill to activate in loosely related contexts and perform filesystem changes like creating chunk directories and rewriting knowledge files when the user did not explicitly request this transformation.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The Capsule repeats vague trigger terms and binds them to an action with non-trivial blast radius, increasing the chance of unintended automatic activation. In this skill's context, activation can lead to splitting documents, creating INDEX.md files, and altering workflow behavior, so overbroad triggers materially increase the risk of accidental changes across knowledge content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal