ClawHub

Anti Cheating Assistant

Security checks across malware telemetry and agentic risk

Overview

The skill appears to support business risk modeling, but it may place sensitive workflow details into an external visualization URL without clear user control or disclosure.

Install only if you are comfortable with business names and workflow details potentially being embedded in links to an external visualization service. Before use, avoid entering confidential processes, customer data, trade secrets, or regulated business information unless the skill is changed to generate diagrams locally or asks for explicit consent before creating external links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The code constructs and returns a URL to an external domain containing the business name and serialized workflow data in query parameters. If a client or downstream component follows that link, sensitive business-process information may be exposed to a third party through browser requests, logs, referrers, or link sharing, which is not clearly justified by the stated skill purpose.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation description is extremely broad ('modeling a business' and 'not making sure if there is any risk'), so the skill may be invoked for loosely related requests that do not warrant this workflow. Overbroad activation can cause unintended collection of business details, inappropriate website redirection, or premature use of external solution mechanisms in contexts the user did not intend.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger for risk analysis is defined only as having a business model without knowing the risks, which is subjective and easy for an agent to infer too broadly. In this skill's context, that can lead the assistant to generate speculative security analysis from incomplete inputs, potentially inventing assumptions or steering the conversation into security claims the user did not request.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal