ClawHub
Back to skill

Security audit

Work Productivity Humanizer Remove Workflow Helper

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only workflow helper with broad auto-invocation wording, but no evidence of hidden commands, data access, persistence, or destructive behavior.

Install only if you want a general Humanizer-style workflow helper. Consider disabling implicit invocation or narrowing triggers if you do not want it to activate during ordinary writing, editing, review, or bug-fix requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger sentences are highly generic and resemble normal user requests, which increases the chance this skill will activate unintentionally for unrelated conversations. In an agent ecosystem, overly broad activation can cause the wrong workflow to run, leading to misrouting, unintended content transformations, or interference with user intent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are very broad and include generic terms like writing, text, editing, reviewing, and bug fix, which can cause this skill to activate for many ordinary user requests unrelated to its intended scope. Over-broad activation increases the chance that the skill is invoked in the wrong context, leading to unintended instruction injection surface, user confusion, or misapplication of workflow guidance.

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger list is overly broad and includes generic terms like 'writing', 'text', 'editing', 'reviewing', and 'bug fix', which can cause the skill to activate for many unrelated user requests. That increases the chance of accidental invocation, inappropriate routing, and unsafe or low-quality assistance outside the skill’s intended scope.

Vague Triggers

High
Confidence
93% confidence
Finding
The manifest description uses expansive invocation language such as 'use when a user asks for work-productivity... or needs a practical workflow, artifact, checklist, analysis, or implementation support,' which is broad enough to match a large fraction of ordinary requests. This can make the skill shadow more appropriate skills, create confused routing, and increase the chance that users receive contextually wrong guidance.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger keywords and example invocations are overly broad and overlap with common writing, editing, reviewing, and bug-fix requests. This can cause the skill to activate outside its intended scope, leading to incorrect routing, unexpected transformations, or bypass of safer/specialized skills, especially because terms like 'writing', 'text', and 'reviewing' are generic.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The default prompt uses very broad, everyday language such as 'help me' and generic workflow terms, which can cause the skill to be invoked in situations far beyond its intended scope. This increases the chance of unintended routing, context hijacking, or activation during unrelated user requests, especially because the skill is framed as general productivity assistance rather than a narrowly bounded function.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Enabling implicit invocation without tight activation boundaries allows the platform to auto-select this skill based on loose semantic matches. Combined with the broad naming and prompt language, this can cause the skill to activate unexpectedly on unrelated prompts, leading to prompt-scope confusion, reduced predictability, and possible interference with safer or more appropriate skills.

Vague Triggers

High
Confidence
91% confidence
Finding
The trigger sentence is excessively broad and can activate on ordinary help-seeking language rather than a clearly scoped request for this specific skill. That increases the chance of unintended invocation, causing the agent to apply the wrong workflow or disclose irrelevant guidance in contexts the user did not intend.

Vague Triggers

Medium
Confidence
88% confidence
Finding
This activation pattern is broad and lacks scope boundaries, so the skill may match many unrelated requests that merely resemble the requirement text. In an agent environment, ambiguous routing can cause incorrect tool selection, user confusion, and downstream unsafe automation if later steps assume the skill was intentionally chosen.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal