ClawHub

Llm Api Provider Integration Helper

Security checks across malware telemetry and agentic risk

Overview

This skill is a text-only helper for a MiniMax Response API feature request, with no evidence of hidden execution, credential use, persistence, or data exfiltration.

Installers should understand this may activate for broad API or support wording because implicit invocation is enabled. It is otherwise a low-risk, text-only planning helper; consider tightening the trigger terms if precise routing matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill description is broad enough to match common terms like software, support, enhancement, and request, which can cause the skill to be invoked outside its narrow intended purpose. Over-broad invocation increases the chance that unrelated user requests are routed through this skill, leading to irrelevant guidance, workflow confusion, and possible misuse of referenced materials or implementation advice in the wrong context.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The keyword list includes highly generic terms such as support, response, api, feature, and request without scope constraints, making accidental or excessive triggering likely. In an agent environment, that can hijack normal request routing, causing this skill to activate for many unrelated API or support discussions and potentially crowd out more appropriate skills or controls.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The default prompt contains broad, generic language such as 'help me' and common request categories like 'support' and 'analysis', which can cause the skill to be selected in situations far beyond the narrow MiniMax Response API feature-request use case. This creates prompt-scope confusion and unintended invocation risk, especially when combined with implicit invocation, because unrelated user requests may trigger this skill and expose users to irrelevant or disruptive agent behavior.

Vague Triggers

Medium
Confidence
96% confidence
Finding
Enabling implicit invocation without clear trigger constraints allows the system to auto-select this skill based on ambiguous matches rather than explicit user intent. In this file, that risk is amplified by the broad default prompt, making accidental activation more likely and potentially routing unrelated requests into a specialized integration helper.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger sentence uses very generic language ('Help me', 'I need a practical workflow') around a broad software-support topic, which can cause the skill to activate for ordinary user requests that were not intended for this specific requirement. This increases the chance of misrouting conversations, producing irrelevant guidance, or overshadowing more appropriate skills, and the narrow MiniMax suffix only partially mitigates the overlap.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal