ClawHub

AI Trending Radar

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a public trend-research helper that uses web research and local report output, with some overbroad activation and source-use guidance but no clear malicious behavior.

Install only if you want an agent to perform live public web research and save local JSON reports. Review or constrain the source list, language filters, and output path if you need tighter privacy, reduced network activity, or multilingual coverage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to execute a local Python script that performs live data fetching and writes a JSON report, which implies network and file-write capabilities, yet no permissions are declared. This creates a governance and containment gap: users or orchestrators may invoke a skill with side effects they did not explicitly authorize, increasing the risk of unintended network access, data exfiltration, or filesystem modification through the referenced script.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description uses broad catch-all phrasing such as 'any variation' around trending AI projects, which can cause the skill to activate for loosely related user requests. Over-broad activation is dangerous because this skill includes networked research and script execution behavior, so misrouting a request can trigger unnecessary external access and side effects outside the user's intent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger conditions list broad categories like 'find / collect / scout' and 'track what's blowing up' without clear scope boundaries or negative examples. In context, this is more dangerous because once selected, the skill directs automated script execution and manual web queries across multiple sources, so ambiguous routing can lead to unintended browsing, data collection, and report generation.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The instruction to query all primary sources on every run creates overbroad external access requirements without tying them to user intent, scope, rate limits, or fallback conditions. In an agent setting, this can cause unnecessary network activity, increased data exposure to third parties, and unpredictable behavior or cost even when the user only needs a narrow answer.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The guidance explicitly constrains searches to English-language content without user opt-in, which can bias results and suppress relevant sources in other languages. In this skill, that is especially problematic because the description includes Chinese-language use cases and global trend discovery, so the forced filter can mislead users and reduce coverage.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal