ClawHub

Fabric Bridge

Security checks across malware telemetry and agentic risk

Overview

Fabric Bridge is an instruction-only helper for using the Fabric AI CLI, with expected external AI/API-key risks but no hidden or destructive behavior in the artifacts.

Install this only if you intend to use Fabric AI and trust the fabric-ai CLI source. Use a dedicated or revocable API key where possible, avoid sending secrets or regulated data, use --dry-run for sensitive workflows, and review community patterns, saved sessions, contexts, and custom pattern files before relying on them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description uses very broad trigger phrases such as general analysis, writing improvement, summarization, and any mention of 'fabric' CLI, which can cause the skill to activate for many ordinary requests beyond a narrowly intended scope. Over-broad activation increases the chance that users are routed into a network-capable, prompt-driven tool unexpectedly, which can lead to unnecessary external processing of user content or confusion about what system is being invoked.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to configure API keys and includes examples that fetch remote URLs and process their contents, but it does not prominently warn that data may be sent to external services or that credentials must be handled securely. In a skill context, this omission can cause accidental transmission of sensitive text, URLs, or media to third-party APIs and can normalize unsafe handling of secrets during setup.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal