ClawHub

Afrexai Ux Research Engine.Bak

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only UX research template skill; its main risk is privacy handling for research participant data, not hidden code or unsafe automation.

Install only if you intended the AfrexAI UX Research Engine package, especially given the backup/fork-style registry naming. When using it, get explicit recording consent, collect only necessary participant data, pseudonymize notes and quotes where possible, store raw notes and recordings in approved access-controlled systems, and define deletion or retention timelines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The README advertises very broad natural-language trigger phrases such as planning studies, building personas, and synthesizing findings without defining clear invocation boundaries, scope limits, or exclusion conditions. In agent ecosystems, overly generic triggers can cause unintended activation or routing, especially when similar user prompts appear in unrelated contexts, leading to inappropriate execution of the skill and possible prompt-surface expansion.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill defines very generic quick-command trigger phrases such as planning, creating, scoring, reviewing, and writing research artifacts. In an agent environment, broad triggers can activate unintentionally during ordinary conversation, causing the skill to take over context unexpectedly, reshape user requests, or expose internal workflow behavior when the user did not explicitly invoke the skill. The risk is amplified because the commands span many common verbs and business tasks rather than a narrowly namespaced invocation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs users to record sessions and later store notes, demographics, quotes, recordings, and repository artifacts, but it does not provide privacy safeguards, data minimization guidance, retention limits, or handling requirements for sensitive participant information. This can lead to collection and persistence of personal data without adequate consent, protection, or deletion practices, increasing the chance of privacy violations or unauthorized exposure of research subjects' information.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal