ClawHub

Multi-Topic Board

Security checks across malware telemetry and agentic risk

Overview

This skill is useful for tracking unfinished discussions, but it can create persistent workspace files and recurring background agent workflows without a clear opt-in step.

Install only if you want an agent to maintain persistent topic-tracking files and recurring reminder workflows in your workspace. Before enabling it, confirm exactly where HEARTBEAT.md, memory/multi-topic.md, and tasks/ will be created, require explicit opt-in before first setup, and make sure you know how to disable the scheduled maintenance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill’s trigger conditions are very broad (e.g. unresolved discussion, asking what is pending, discussing a topic without conclusion), making it likely to activate during ordinary conversation. Because the skill can then create or update persistent files and cron-like workflows, unintended invocation can cause unwanted state changes and background automation the user did not explicitly request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to create and modify workspace files such as `tasks/`, `memory/multi-topic.md`, and `HEARTBEAT.md`, including installing recurring cron-like behavior, without requiring an explicit user-visible warning or consent. This is dangerous because normal conversational use could silently alter the workspace and introduce persistent automation that continues operating beyond the immediate request.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal