ClawHub

Context Engineering (Koylan)

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate-looking context guidance router, but it loads unpinned external instructions from GitHub that can change after review.

Review this before installing if you do not fully trust the upstream GitHub repository. Prefer a local or commit-pinned copy of the referenced sub-skills, and treat fetched sub-skill text as advisory content that must not override user intent, platform policy, or safer scoped workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to load sub-skill instructions from remote GitHub raw URLs at runtime. This creates a supply-chain and prompt-injection risk because trusted behavior is delegated to mutable external content outside the reviewed skill package, allowing behavior to change without local review or pinning.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger scope includes a broad catch-all phrase that activates on "Any discussion of context degradation, attention patterns, multi-agent coordination, or production agent architecture." This can cause the skill to auto-activate in many unrelated conversations, increasing the chance of unnecessary loading of external sub-skill content and expanding the attack surface for prompt injection or unintended behavior.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The README states that sub-skill documentation is fetched directly from GitHub, but it does not clearly warn users that using the skill may trigger external network access and import untrusted remote content at runtime. In a security-sensitive agent setting, silent remote fetches increase supply-chain and prompt-injection risk because external content can change over time and may be processed as trusted instructions.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The activation scope includes a broad catch-all covering generic discussions of context degradation, attention patterns, and production agent architecture. Over-broad routing can cause the skill to activate in situations the user did not intend, increasing the chance that it loads additional instructions or external content unnecessarily.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes automatic remote fetching from GitHub but does not include a user-facing warning or consent step for network access and external instruction loading. This is dangerous because users may unknowingly cause data egress or import unreviewed remote prompts into the agent's decision process.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal