ClawHub

Advanced Evaluation

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for LLM evaluation workflows, with one wording issue around chain-of-thought prompting but no code execution or hidden data access.

Reasonable to install as a low-risk evaluation guide. When using it, revise prompts to ask judges for concise evidence, rubric-grounded rationale, scores, and confidence, and avoid asking models to reveal hidden chain-of-thought. For sensitive evaluation data, use only approved model providers and pipelines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Ssd 2

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs evaluators to require justification before scoring and labels this as a chain-of-thought requirement, which encourages elicitation of hidden reasoning. In production systems, prompting for internal reasoning can increase leakage of sensitive intermediate analysis, expose policy-related reasoning patterns, and conflict with safer best practices that request brief evidence or concise rationale instead of full internal chain-of-thought.

Ssd 2

Medium
Confidence
98% confidence
Finding
The guideline reiterates that prompts should require justification before scores and explicitly endorses chain-of-thought prompting, reinforcing a pattern of soliciting internal reasoning. This makes the issue more dangerous because it is presented as a normative rule for all uses of the skill, increasing the chance downstream users will operationalize unsafe prompting patterns across evaluation pipelines.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal