ClawHub
Back to skill

Security audit

Work Productivity Ontology Typed Workflow Helper 002325

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only workflow helper with no executable code or hidden data access, but its activation wording is broad enough that users should invoke it deliberately.

Install only if you want a general ontology/workflow planning helper, and prefer explicit invocation by name because its broad implicit triggers could make it appear in unrelated workflow, analysis, or bug-fix requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger sentences are extremely broad and resemble ordinary user requests, making accidental invocation likely. In an agent ecosystem, this can cause the skill to activate outside its intended scope, override more appropriate skills, or steer workflows based on unrelated prompts, reducing reliability and potentially causing unsafe or unintended actions downstream.

Vague Triggers

High
Confidence
91% confidence
Finding
The trigger phrases are broad, natural-language prompts that can match many ordinary user requests unrelated to this specific skill. In an agent-routing context, that can cause unintended invocation, over-broad tool exposure, and misapplication of the skill to requests where it was not explicitly intended, increasing the chance of unsafe or unreliable behavior.

Vague Triggers

High
Confidence
96% confidence
Finding
The skill description and activation guidance are broad enough to match many ordinary requests involving workflows, analysis, implementation help, or generic productivity topics. This can cause inappropriate auto-invocation or routing, leading the agent to apply the wrong skill context, produce irrelevant outputs, or bypass more suitable specialized skills.

Vague Triggers

High
Confidence
98% confidence
Finding
The keyword list includes highly generic terms such as 'typed', 'knowledge', 'graph', 'structured', 'memory', 'creating', and 'bug fix', which are common across many unrelated tasks. Over-broad triggers increase false activations and can steer user requests into this skill even when its ontology-workflow focus is not relevant.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The example trigger sentences are templated and generic, and they do not show clear distinctions between valid and invalid use cases. This weakens routing precision because downstream systems or authors may treat vague sample invocations as acceptable matching patterns, increasing accidental activation.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list is overly broad and includes generic terms like "knowledge", "graph", "structured", and "creating", which can match many unrelated user requests. This can cause the skill to be invoked outside its intended scope, leading to incorrect delegation, degraded reliability, and possible overshadowing of more appropriate skills.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description says to use the skill for broad topic areas or whenever a user needs practical workflow or implementation support, but it does not clearly define boundaries or exclusions. This ambiguity increases the chance of accidental invocation in unrelated contexts, which can misroute user tasks and reduce overall agent safety and predictability.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The default prompt is broad and loosely scoped, using generic terms like help me and a long requirement description that could match many unrelated user requests. Combined with allow_implicit_invocation: true, this increases the chance the skill is auto-invoked when the user did not clearly intend to use it, which can cause prompt hijacking of routing, irrelevant actions, or unintended exposure of the skill's behavior in other contexts.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger sentences are broad and include common phrases like 'help me' and 'I need a practical workflow' combined with loosely related topic words, which can cause the skill to activate in contexts the user did not intend. In an agent ecosystem, unintended activation can misroute tasks, override more appropriate skills, and increase the chance that sensitive user inputs are processed by the wrong workflow.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal