ClawHub

Product Validation Planner

Security checks across malware telemetry and agentic risk

Overview

This is a simple product-planning prompt skill with overly broad activation wording but no evidence of malware, data access, persistence, or destructive behavior.

This skill appears safe to install from a security standpoint, but expect possible over-triggering because words like "ask," "product," "very," "high," and "quality" are too generic. Prefer installing it only if you want product-validation help, and consider tightening or disabling implicit invocation if your agent supports that.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger keyword list is overly broad and includes generic terms like 'ask', 'product', 'very', 'high', 'quality', and 'ready'. In an agent routing system, this can cause the skill to activate for many unrelated prompts, leading to misrouting, unexpected behavior, and possible interference with more appropriate skills.

Vague Triggers

High
Confidence
90% confidence
Finding
The skill description defines activation criteria with ambiguous language such as 'help users', 'creative-and-content', 'ask', 'product', and 'needs a practical workflow'. These broad conditions do not clearly bound when the skill should run, increasing the chance of accidental invocation on unrelated user requests and reducing routing integrity.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The example trigger sentences are themselves broad and reinforce weak invocation controls, because they center on generic 'help' and direct tool naming without clarifying the specific problem domain. This can train downstream systems or authors toward permissive invocation patterns, further increasing accidental activation frequency.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill exposes a very generic default prompt and description ('Help for a Product') while also allowing implicit invocation, which increases the chance the agent will activate this skill for loosely related requests. That can cause unintended tool routing, misleading outputs, or bypass of more appropriate safeguards because the trigger criteria are not narrowly scoped.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases and keywords are overly broad and include generic terms like "ask," "product," "very," "high," and "quality," which can cause the skill to activate for many unrelated user requests. This creates inappropriate routing risk: users may be steered into a product-validation workflow when they wanted something else, leading to incorrect assistance, prompt hijacking opportunities through over-selection, or degraded trust in agent behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal