ClawHub

Skill Maker

Security checks across malware telemetry and agentic risk

Overview

This is a visible, instruction-only skill for creating other skills, with no executable code or hidden data access.

Safe to install as a skill-building guide. Before enabling any skill it creates or replaces, review the generated SKILL.md, confirm any overwrite or target path, and inspect generated scripts or executable resources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill recommends generic trigger phrases like 'I need to [action]' and 'Help me with [domain]', which are broad enough to match many unrelated user requests. In an agent ecosystem, this can cause accidental activation of the skill-maker workflow in contexts where the user did not ask to create or modify skills, leading to prompt hijacking of task routing and inappropriate self-directed behavior.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The template says the skill activates when the user wants a capability, but does not define boundaries for matching that intent. This ambiguity encourages downstream skill authors to create activation rules that are too permissive, increasing the chance of unintended invocation and incorrect agent behavior.

Vague Triggers

Low
Confidence
84% confidence
Finding
The testing section only asks whether desired trigger phrases match, but never checks false positives, near-misses, or exclusion scenarios. That makes it more likely that authors will ship skills with overbroad routing behavior, which can degrade safety and reliability across the agent system.

Vague Triggers

Low
Confidence
80% confidence
Finding
The example description uses broad wording like 'User asks weather' and 'User wants forecast', which models imprecise trigger design for future skill authors. Even though it is only an example, it normalizes underspecified activation patterns that can spread into production skills.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal