ClawHub

Work Productivity Self Improving Workflow Helper

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable workflow skill for reviewing repeated failures and proposing small memory or checklist improvements, with one notable scoping weakness around broad implicit activation.

Install only if you want an agent to help turn repeated workflow failures into reviewed memory or checklist changes. Because implicit invocation and some trigger phrases are broad, review any proposed memory/checklist edits before accepting them and avoid storing private logs or sensitive user data unless you explicitly need that behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad natural-language requests like 'Help me' and 'I need a practical workflow', which can match many ordinary user prompts unrelated to this specific skill. In an agent environment, that increases the chance of accidental invocation, causing the skill to run in contexts the user did not explicitly intend and potentially altering workflow behavior or self-improvement state unexpectedly.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are broad natural-language requests that can match ordinary user prompts unrelated to this skill, increasing the chance of accidental invocation or shadowing more appropriate skills. In a self-improving workflow skill, unintended activation is more concerning because it may steer conversations into workflow-capture or memory-update behavior the user did not explicitly request.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger list includes extremely broad everyday terms such as “self”, “improving”, and “enable”, which can cause the skill to activate in many unrelated conversations. Over-broad activation can unexpectedly steer agent behavior, displace more appropriate skills, and increase the chance that this skill influences sensitive tasks outside its intended context.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The enablement description is vague and expansive, saying the skill should be used whenever users mention broad themes like work productivity, self-improving agents, or practical support around the requirement. In context, this makes accidental invocation more likely and compounds the risk from the broad trigger keywords, allowing the skill to capture requests that are only loosely related.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill enables implicit invocation without any visible activation constraints, which can cause it to trigger in situations the user did not explicitly request. Because this skill performs post-run analysis, memory updates, and workflow/checklist improvements, unintended activation could alter durable agent behavior or stored guidance based on weak or irrelevant evidence.

Vague Triggers

High
Confidence
98% confidence
Finding
The trigger sentences are extremely broad, natural-language phrases such as 'Help me' and 'I need a practical workflow,' combined with generic productivity wording. This creates a real risk of unintended skill activation in unrelated conversations, which can cause the agent to invoke this workflow when the user did not explicitly request it and potentially expose context, alter execution flow, or override more appropriate skills.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal