ClawHub

Automation Workflow Helper

Security checks across malware telemetry and agentic risk

Overview

This is a coherent automation guide, but it under-scopes guidance for saved login sessions, credentials, local files, and high-impact browser automation.

Review carefully before installing. Use this only for systems and data you are authorized to automate, do not paste real passwords, API keys, or session cookies into chat, prefer scoped OAuth or secure secret storage, inspect generated scripts before running them, and require explicit human approval for workflows that submit forms, change accounts, publish content, move money, or reuse saved login sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list is very broad and includes common terms like "workflow," "efficiency," "save time," and "automate," which can cause this skill to activate in many unrelated contexts. Unintended invocation is dangerous because the skill promotes browser automation, account connection, and external tool use, increasing the chance that a user is steered into risky automation workflows without having explicitly asked for them.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill gives detailed guidance for browser automation, credentialed account connection, cookie reuse, file export, spreadsheet/Word generation, and message sending, but does not include explicit safety boundaries around handling secrets, personal data, third-party terms of service, or high-risk actions. In context, this omission is significant because the skill encourages automating internal systems and external websites, which can expose credentials, session cookies, customer data, or regulated information if users follow the guidance naively.

VirusTotal

No VirusTotal findings

View on VirusTotal