ClawHub

Bun Migration Advisor

Security checks across malware telemetry and agentic risk

Overview

This is a simple Bun migration guidance skill with overly broad activation wording, but it does not request privileged access or perform hidden actions.

Install only if you want a lightweight advisor for Bun migration planning. Be aware it may activate on unrelated coding or general-question prompts because its trigger wording is broad; review whether your agent lets you disable implicit invocation or narrow skill routing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger keywords are unusually broad and include generic terms like 'happy', 'answer', 'questions', and 'code', which can cause the skill to activate for many unrelated prompts. Over-broad invocation expands the attack surface by routing unintended conversations into this skill, increasing the chance of misapplication, user confusion, or prompt-space interference from skill content.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description says to use the skill when a user asks for broad categories like 'work-productivity' or 'implementation support', which are not specific to Bun migration. This ambiguity can lead to inappropriate auto-selection of the skill in unrelated contexts, causing incorrect guidance and creating unnecessary exposure to any future unsafe instructions embedded in the skill.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The default prompt and description use broad, natural-language terms like 'help me' and 'considerations' without strong invocation constraints, which can cause the skill to be selected in loosely related conversations. Because implicit invocation is enabled, this ambiguity increases the chance of unintended activation and context bleed into user sessions where the user did not explicitly request this migration advisor.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase includes very common terms like "happy," "answer," "questions," and "code," which can cause the skill to activate for many unrelated requests. Overbroad activation can misroute user intent, invoke the wrong workflow, and create opportunities for prompt-space interference or unintended handling of requests outside the skill's intended scope.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal