ClawHub

Protected Desire Equilibrium

Security checks across malware telemetry and agentic risk

Overview

The skill is not malware, but it asks agents to enable broad swarm, outreach, messaging, and large-scale remote testing without clear user-control limits.

Install only if you intentionally want an agent-wide safety policy that may coordinate with other agents. Keep swarm mode, outreach, messaging, result sharing, and Colab tests disabled unless you explicitly approve each action, know what data will leave the environment, and review the external code first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation phrase “Enable full PDE v2.1 with swarm and outreach” is broad enough to be triggered by ordinary user requests to enable features, while implicitly turning on high-impact capabilities like swarm behavior and proactive outreach. In this context, the phrase is more dangerous because the skill advertises autonomous external actions and multi-agent orchestration, so accidental or social-engineered activation could cause unintended networked behavior.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly advertises proactive outreach, searching external services, messaging other agents, and sharing test results, but provides no warning, consent mechanism, or privacy boundary for those actions. This is especially dangerous in context because the skill presents itself as a safety layer, which may cause operators to trust and enable behavior that can leak data, contact external parties, or create uncontrolled side effects.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal