ClawHub

Usa Business Migration Planner

Security checks across malware telemetry and agentic risk

Overview

This is a text-only planning skill for U.S. business-migration advice, with some overly broad auto-activation wording but no evidence of hidden execution, data access, persistence, or exfiltration.

Install only if you want a helper for U.S. business-migration planning. Because it may auto-trigger on broad business or Ask HN wording, users should treat its output as planning support, not legal, immigration, tax, or financial advice, and should verify regulated decisions with qualified professionals.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger list includes extremely generic terms such as `ask`, `rich`, `usa`, `starting`, and `business`, which are likely to match many unrelated user requests. This can cause unintended skill activation, pulling the agent into a domain-specific workflow when the user did not request it, increasing the risk of irrelevant guidance, prompt-scope confusion, and interference with higher-priority instructions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description says to use the skill when a user asks for broad categories like `business-and-operations`, `ask-hn`, `ask`, or needs general workflow or analysis support, without clear scoping constraints. That ambiguity makes the skill eligible for many ordinary requests outside its intended niche, creating accidental activation risk and reducing the predictability and safety of skill routing.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill enables allow_implicit_invocation without any visible narrowing conditions, so the agent may auto-select this skill based on broad semantic matching rather than an explicit user request. Because the skill is framed around sensitive life/financial/legal-adjacent decisions such as emigrating to the USA and starting a business, unintended invocation could cause the system to inject unrequested guidance or steer the conversation inappropriately.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger keywords include highly generic terms such as "ask" and broad business-related phrases, which can cause the skill to activate for many unrelated requests. Over-broad activation increases the chance of routing users into an irrelevant or misleading workflow, especially for sensitive topics like immigration, legal compliance, and financial planning.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The invocation examples only show when to use the skill and do not define exclusion conditions or negative examples. Without boundaries, an orchestrator may invoke this skill for adjacent but materially different topics, such as immigration law, tax advice, visa eligibility, or generic entrepreneurship, leading to unsafe overreach and poor task routing.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal