ClawHub

Unit Test Coverage Helper

Security checks across malware telemetry and agentic risk

Overview

This is a simple unit-test helper skill with overly broad activation wording but no hidden execution, credentials, persistence, or data access.

Install this only if you want a lightweight helper for adding unit tests. Be aware it may activate on broad unit-test-related wording, so review its suggestions before allowing code edits, but the inspected files do not show credential use, hidden execution, or persistence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad enough to match common requests like asking for help adding unit tests, which can cause this skill to activate outside of narrowly intended contexts. Over-broad activation increases the chance of inappropriate routing, prompt collision with other skills, and untrusted content influencing responses when the user did not explicitly request this specific helper.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are generic and likely to match ordinary support requests such as 'help me' or 'I need a practical workflow,' which can cause the skill to activate outside its intended scope. In an agent system, over-broad activation can route unrelated user requests into this skill, creating prompt-routing confusion and increasing the chance that users receive irrelevant or misleading guidance.

Vague Triggers

High
Confidence
94% confidence
Finding
The skill description says to use this skill when a user asks for very generic terms like "general-help," "add," "unit," and "tests," which creates a high risk of accidental or irrelevant invocation. Overbroad activation can route unrelated user requests into this skill, causing incorrect assistance, context confusion, or misuse of the skill in situations where it was not intended.

Vague Triggers

High
Confidence
97% confidence
Finding
The keyword trigger list includes extremely common words like "add," "unit," "tests," "level," and "type" without contextual constraints, making unintended invocation likely across many unrelated conversations. In an agent-routing system, such ambiguous triggers can degrade reliability and potentially expose users to irrelevant actions or outputs based on misclassification.

Vague Triggers

High
Confidence
88% confidence
Finding
The skill metadata description includes very broad trigger terms such as 'general-help', 'add', 'unit', and 'tests', which can match many unrelated user requests. This can cause the wrong skill to activate and steer an agent into producing irrelevant code or workflow actions in contexts where unit-test assistance was not intended.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger section lists generic keywords without scope limits, exclusions, or required combinations, making accidental activation likely. In an agent environment, overbroad routing can misapply this skill to unrelated tasks, increasing the chance of incorrect assistance, unnecessary code changes, or context confusion.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The default prompt uses a very broad natural-language trigger phrase, "help me Add Unit Tests," which overlaps with ordinary user requests and can cause unintended or implicit invocation of this skill. Because implicit invocation is enabled, benign conversations about unit tests may activate the skill unexpectedly, increasing the chance of prompt-routing confusion or unauthorized influence over the agent workflow.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad enough to match ordinary user requests like 'Help me Add Unit Tests,' which can cause the skill to activate in many routine contexts. Over-broad activation increases the chance of inappropriate routing, prompt-shadowing of more specific skills, and unintended exposure of this skill's guidance when the user did not explicitly request it.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal