ClawHub

Programming

Security checks across malware telemetry and agentic risk

Overview

This is a simple programming guidance skill that mostly prints bundled documentation, with a practical privacy caution around examples that send local files to Claude CLI.

Install this only if you want a broad programming reference skill and can review the Chinese instructions. Before following its Claude CLI examples, do not pipe secrets, credentials, private customer data, or proprietary code to an external AI service unless your organization permits it, and write generated code to a temporary file before replacing existing files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill’s activation scope is very broad: it applies whenever the agent needs to perform generic programming tasks, including development, debugging, optimization, architecture, and tool guidance. Overly broad triggers can cause the skill to activate in many unrelated or sensitive coding contexts, increasing the chance of unintended instruction injection, policy bypass-by-context, or inappropriate delegation to this skill when a narrower, safer skill should be used.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill content is written entirely in Chinese and presents the workflow and outputs in that language without indicating user choice or localization behavior. In an agent setting, forcing a language can degrade transparency, user comprehension, and reviewability, which indirectly increases security risk by making unsafe actions or instructions harder for users and operators to notice and validate.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The guide shows examples that pipe local file contents to an external AI service and redirect generated output into files, but it does not warn about data exposure, handling of sensitive code, or accidental overwrites. In a developer-facing skill, these omissions can lead users to unknowingly send proprietary material off-host or replace files with unreviewed content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal