ClawHub

Using Superpowers 0.1.0

Security checks across malware telemetry and agentic risk

Overview

This skill contains no executable code, but it broadly tries to control how the agent behaves in every conversation.

Install only if you intentionally want a global process rule that makes the agent check skills before nearly any action. It does not appear to run code or access data, but its instructions are unusually broad and may make the agent less direct or less responsive to normal clarification and prioritization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

High
Confidence
97% confidence
Finding
The skill description is excessively broad: "Use when starting any conversation" effectively makes this a universal precondition for all interactions. That can override more specific task selection logic, create unnecessary tool invocations, and let a process skill dominate agent behavior even when irrelevant, increasing the chance of prompt-routing abuse or denial-of-service through procedural overload.

Vague Triggers

High
Confidence
99% confidence
Finding
The "even a 1% chance" threshold is an unsafe trigger because it collapses meaningful relevance checks and forces invocation under extreme uncertainty. In practice, this can cause cascades of unnecessary skill loading, make the agent easier to steer into arbitrary workflows, and degrade availability or decision quality by treating speculative applicability as mandatory.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Requiring skill invocation before any response or action, including clarifying questions, is a rigid meta-instruction that can interfere with normal safe operation and reduce the agent's ability to scope the task before committing to a workflow. Because the rule lacks tight constraints and negative examples, it can be misapplied broadly, amplifying the effect of irrelevant or conflicting skills and causing procedural lock-in.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal