ClawHub

Product Validation Planner

Security checks across malware telemetry and agentic risk

Overview

This is a text-only planning skill with overly broad activation wording, but it does not request dangerous permissions or perform hidden actions.

Install this only if you want a general product-validation and planning helper. Be aware it may activate on vague prompts involving words like product, ask, quality, or ready; explicit invocation is safer if your agent allows controlling skill use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

High
Confidence
97% confidence
Finding
The skill description uses very broad activation language such as 'creative-and-content', 'ask', 'product', and 'needs a practical workflow', which can match many unrelated user requests. This makes unintended invocation likely, causing the agent to route users into this skill outside its intended scope and potentially produce irrelevant or misleading outputs.

Vague Triggers

High
Confidence
99% confidence
Finding
The keyword list includes generic words like 'ask', 'product', 'very', 'high', 'quality', and 'ready', which are common in normal conversation and not distinctive to this skill. Such vague triggers can activate the skill for a wide range of unrelated prompts, increasing the chance of misrouting and unsafe or low-quality agent behavior.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The example trigger sentences are themselves vague and reinforce activation on underspecified requests like 'Help me Help for a Product.' This trains or signals the routing layer to accept ambiguous invocations, making accidental selection of the skill more likely and reducing confidence that the skill is being used in the correct context.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill uses broad, generic trigger language such as "Help for a Product" and enables implicit invocation, which increases the chance that unrelated user requests will activate this skill unintentionally. In an agent environment, unintended activation can route user queries into the wrong workflow, causing prompt-scope confusion, incorrect actions, or exposure of user context to a skill that was not explicitly selected.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases and keywords are broad enough that this skill could activate for many unrelated requests, especially because terms like "ask," "product," "very," "high," and "quality" are common in normal conversation. Over-broad activation can cause the wrong skill to take control, leading to misrouting, confusing outputs, and possible bypass of more appropriate domain-specific safeguards or workflows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal