ClawHub
Back to skill

Security audit

Work Productivity Multi Search Workflow Helper

Security checks across malware telemetry and agentic risk

Overview

This appears to be a workflow/documentation helper with overly broad activation wording, but the supplied evidence does not show hidden code, credential use, persistence, or destructive behavior.

Install only if you want a general multi-search workflow helper. Because its triggers are broad, prefer explicit invocation and review its suggestions before letting an agent apply code, automation, or workflow changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Vague Triggers

High
Confidence
92% confidence
Finding
The trigger phrases are extremely broad and include generic terms like "multi," "search," and "engine," which can cause the skill to activate in unrelated contexts. In an agent environment, overbroad activation can route unintended tasks into this skill, creating prompt confusion, mis-execution, or unsafe chaining with other tools and workflows.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger phrases are broad and map to common words like 'multi', 'search', and 'engine', which can cause the skill to activate for many unrelated user requests. This increases the chance of unintended invocation, context hijacking, or the wrong workflow being applied, especially in shared agent environments where skill routing is automatic.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger keyword list is excessively broad and includes common terms like "multi," "search," "engine," "integration," and "bug fix," which can cause the skill to activate for many unrelated requests. Overbroad activation increases the chance of prompt-routing mistakes, unintended skill invocation, and context bleed into tasks the user did not intend this skill to handle.

Vague Triggers

High
Confidence
93% confidence
Finding
The description says to use the skill when a user asks for broad concepts such as work-productivity, multi, search, engine, or any practical workflow or analysis support, which creates an unclear and overly permissive invocation boundary. This can cause the skill to be selected in situations outside its intended scope, leading to misrouting, reduced reliability, and possible interference with more appropriate skills.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example trigger phrases are written as generic help requests and closely resemble ordinary user prompts, making accidental invocation more likely. When examples are vague, they reinforce permissive routing behavior and reduce the precision of downstream skill selection.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger keywords are overly broad, including generic terms like "multi", "search", and "engine", which can cause the skill to activate for unrelated requests. In an agent environment, this creates routing confusion and increases the chance that users receive irrelevant workflow guidance or that this skill intercepts prompts meant for safer or more appropriate skills.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The usage condition says to use the skill when users mention broad categories or need general artifacts, checklists, analysis, or implementation help, but it does not clearly define boundaries for when the skill should not be used. This ambiguity can lead to over-activation, misrouting, and inconsistent behavior across agents, especially because the described job-to-be-done overlaps with many generic productivity or troubleshooting requests.

Vague Triggers

High
Confidence
96% confidence
Finding
The default prompt contains a very broad natural-language trigger phrase ('Use $work-productivity-multi-search-workflow-helper to help me ...') tied to generic productivity and search-related wording. Because implicit invocation is enabled, ordinary user requests about work productivity or search workflows could unintentionally activate this skill, expanding its reach beyond explicit user intent and creating prompt-routing and least-privilege risks. In this context, the skill is especially prone to over-triggering because its description and prompt target common workplace tasks rather than a narrowly scoped action.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger sentence begins with a highly generic phrase ('Help me') and then appends requirement text, which can cause the skill to activate for ordinary user requests unrelated to this specific workflow. Overbroad activation increases the chance of misrouting tasks, unexpected invocation, and prompt-surface expansion into contexts the skill was not designed to handle.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The phrase 'I need a practical workflow for ...' is vague and broad, lacking clear boundaries on the task domain, which may cause the skill to match many unrelated productivity requests. In an agent-routing system, ambiguous triggers can lead to incorrect tool selection, user confusion, and unintended exposure of downstream instructions or capabilities.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal