ClawHub

Work Productivity Gog Google Workflow Helper

Security checks across malware telemetry and agentic risk

Overview

This is a guidance-only workflow skill with overly broad activation wording but no hidden code, credential access, persistence, or destructive behavior.

Before installing, be aware that the skill may activate for broad Google, Workspace, CLI, Gmail, Calendar, Drive, Contacts, or bug-fix requests. Use explicit skill invocation when you want this workflow, and review any generated scripts or Google Workspace actions before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger sentences are broad, natural-language phrases that resemble ordinary user requests rather than an explicit opt-in command. This can cause accidental invocation of the skill in unrelated conversations, increasing the chance that the agent applies the workflow unexpectedly or exposes users to unintended actions or outputs.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad, generic help requests that can match ordinary user intent unrelated to this specific skill. That increases the chance of accidental invocation or priority hijacking, causing the agent to route users into this workflow when they did not explicitly ask for it, which can lead to inappropriate actions or confusing outputs in a productivity/Google Workspace context.

Vague Triggers

High
Confidence
95% confidence
Finding
The skill description uses very broad activation terms such as general productivity, Google, workspace, CLI, workflow, artifact, and analysis support, which can cause the skill to be invoked for many unrelated requests. Over-broad routing increases the chance of unintended skill activation, causing prompt-scope confusion and potentially exposing users to irrelevant or unsafe instructions outside the skill's intended job-to-be-done.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger keywords are highly generic and ambiguous, including terms like 'google', 'workspace', 'cli', 'gmail', 'calendar', and 'bug fix', all of which are common across many unrelated skills. In an agent ecosystem, such broad triggers can hijack routing, leading this skill to activate in contexts it was not designed for and increasing the risk of incorrect automation guidance or interference with more appropriate skills.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example trigger sentences rely on vague phrases like 'Help me' and 'I need a practical workflow', which are common user expressions and not reliable invocation boundaries. These examples reinforce over-broad matching behavior and make accidental activation more likely, especially when combined with the already generic description and keyword set.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger list includes very generic terms such as "google", "workspace", "cli", and "bug fix", which are common across many unrelated requests. This can cause the skill to activate outside its intended scope, potentially overriding more appropriate skills and leading to incorrect guidance or unintended handling of user tasks.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation description says to use the skill for broad categories like work-productivity, google, workspace, and practical workflow support, without clearly bounding the exact scenarios. Ambiguous activation guidance increases the chance of accidental invocation, which can reduce routing accuracy and expose users to irrelevant or lower-quality instructions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The default prompt trigger phrase is broad and tied to common terms like work productivity, Google, workflow, and practical help, which can cause the skill to be invoked in many ordinary user conversations without clear intent. Because implicit invocation is enabled, this increases the chance of unintended routing, prompt injection surface expansion, and unexpected exposure of the skill's instructions in unrelated contexts.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger sentence is written as a broad everyday request pattern, which can cause the skill to activate for generic help queries that only loosely relate to the intended Google/Gog workflow scope. In an agent environment, overly broad activation increases the chance of misrouting user requests, unintended tool use, or applying this skill in contexts where its assumptions do not hold.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger guidance is ambiguous because it mixes broad keywords with generic request templates without clear boundary conditions for when the skill should or should not activate. This makes prompt routing less predictable and can cause the agent to select the skill for unrelated productivity or workflow tasks, reducing reliability and potentially exposing users to incorrect actions or outputs.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal