ClawHub

Nextcloud Integration Helper

Security checks across malware telemetry and agentic risk

Overview

This is a small Nextcloud planning helper with overly broad trigger wording, but it does not install code, request secrets, or perform hidden actions.

Install only if you want a Nextcloud support planning helper. Be aware it may be selected for generic requests containing words like add or support, so prefer explicit invocation or narrow its trigger wording if your agent has many skills installed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger keywords are broad enough that the skill may activate for generic words like 'add', 'support', 'feature', or 'problem' that are unrelated to Nextcloud. This can cause unintended routing to this skill, leading to irrelevant guidance, confusion, or accidental exposure of workflow behaviors in contexts where the skill was not intended to run.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The description defines activation conditions using broad categories like 'software-and-data', 'enhancement', 'add', and 'support' in addition to the specific Nextcloud use case. That ambiguity increases the chance the skill will be selected for unrelated requests, which weakens routing integrity and can produce incorrect or misleading assistance.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill enables implicit invocation while advertising a very broad activation scope through generic terms like 'enhancement', 'add', 'support', 'workflow', 'checklist', and 'analysis'. This increases the chance the agent will auto-select the skill in unrelated contexts, causing unintended data exposure to the skill or unreviewed execution of its guidance based on loosely matched user requests.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger sentences are broad natural-language phrases such as 'Help me [Enhancement] Add Nextcloud Support' and 'I need a practical workflow...', which are close to ordinary user requests and can cause unintended skill activation. In an agent system, ambiguous activation can route unrelated conversations into this skill, producing incorrect actions or exposing contextual data to a workflow the user did not explicitly intend to invoke.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The usage keywords include highly generic terms like 'support', 'feature', 'request', 'related', and 'problem', which lack boundaries and can match many unrelated prompts. This increases the chance of accidental invocation, misrouting, and inappropriate application of the skill to requests outside Nextcloud integration, especially in multi-skill agent environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal