ClawHub
Back to skill

Security audit

Qa Release Risk Governance

Security checks across malware telemetry and agentic risk

Overview

This is a release-risk planning skill with no executable payload, persistence, credential use, or system-changing authority.

Install this if you want Chinese-language help with release risk reviews, gray rollout strategy, rollback planning, and monitoring checklists. Confirm the context when discussing routine releases, since broad trigger terms may activate it more often than intended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill’s trigger conditions are overly broad natural-language phrases such as general mentions of release risk, rollback, or version release, which can cause the skill to auto-activate in contexts where the user did not actually request this workflow. In an agent system, unintended invocation can steer conversations, bias decisions, or expose internal process guidance at the wrong time, especially during operational or incident-related discussions.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill content is effectively Chinese-only and does not indicate language flexibility or user choice, which can cause misinterpretation or inaccessible behavior for users operating in other locales. In a release-governance context, misunderstanding risk thresholds, rollback steps, or monitoring criteria can degrade operational decisions, though this is primarily a reliability and usability issue rather than a direct security exploit.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal