ClawHub

Product Validation Planner

Security checks across malware telemetry and agentic risk

Overview

This is a text-only product-planning skill with overly broad trigger wording, but it does not request sensitive access or perform actions.

Install only if you want a lightweight product-validation planning prompt. Be aware it may trigger too broadly for generic product or planning requests; explicit invocation is preferable until the publisher narrows the trigger language.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

High
Confidence
97% confidence
Finding
The skill description uses broad activation language such as 'creative-and-content,' 'ask,' 'product,' and 'very,' which are common terms that can match many unrelated user requests. This increases the chance of accidental invocation, causing the wrong skill to steer conversations or inject irrelevant workflow guidance into benign contexts.

Vague Triggers

High
Confidence
99% confidence
Finding
The keyword list includes generic everyday words like 'ask,' 'product,' 'very,' 'high,' 'quality,' and 'ready,' which are likely to appear in a large volume of unrelated prompts. In an agent environment, this can cause frequent unintended activation and misrouting, potentially overriding more appropriate skills and degrading reliability across many interactions.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The example trigger phrases are still broad and do not establish clear invocation boundaries, especially phrases like 'Help me Help for a Product' and generic workflow requests. Ambiguous examples reinforce permissive matching behavior and make it more likely that the skill is invoked outside its intended scope.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill metadata uses broad, vague phrasing such as 'Helps with Help for a Product' and a generic default prompt, which makes it easier for an orchestrator to match and invoke the skill in contexts beyond its intended scope. Overbroad matching can cause unintended activation, leading the agent to apply the skill to unrelated user requests and potentially leak context or produce unsafe workflow guidance outside the domain it was designed for.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Enabling implicit invocation without narrow activation constraints allows the platform to auto-select this skill based on weak or generic similarity signals. In a skill with already broad product-help wording, this increases the chance of unintended invocation, inappropriate context sharing, and misapplication of planning or advisory behavior to requests that did not clearly ask for this capability.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are broad and weakly scoped (for example, generic terms like "ask," "product," and "ready"), which can cause the skill to activate for unrelated requests. That increases the chance of unintended routing, confusing users, and causing the agent to apply this workflow in contexts where it is not appropriate.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal