ClawHub

CementOps Environmental Compliance

Security checks across malware telemetry and agentic risk

Overview

This is a self-contained cement environmental compliance helper with an overly conservative reporting checker, not evidence of hidden or harmful behavior.

Reasonable to install for cement environmental compliance reference use. Treat reporting decisions as conservative prompts to investigate, not legal determinations; confirm actual obligations against the facility Title V permit, state requirements, official regulations, and qualified environmental counsel before acting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to read multiple local reference files and to invoke a local script (`check_reporting.py`), which are code-like capabilities, but no corresponding permissions are declared. This creates a trust and containment gap: a host may expose file access implicitly or users may not understand that the skill depends on local file reads and command execution to function, increasing the chance of unintended data access or unsafe deployment assumptions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list for malfunction reporting includes very broad terms such as 'malfunction', 'breakdown', and 'equipment failure' that can match routine conversational descriptions without enough regulatory context. In this compliance skill, an overbroad match can cause the agent to classify ordinary maintenance or ambiguous plant events as reportable incidents, leading to incorrect compliance guidance and unnecessary escalation.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The opacity rule uses ambiguous triggers like 'opacity reading' and 'opacity hit', which may match benign status chatter or preliminary observations rather than an actual 6-minute average exceedance above the regulatory threshold. Because this skill gives compliance-reporting instructions, false matches can misdirect operators into treating non-reportable conditions as violations or taking unnecessary reporting actions.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal