ClawHub

html-collab

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent collaborative HTML review tool, but it uses broad activation, hidden agent-facing bootstrap instructions, remote GitHub fallbacks, full document echoing, and direct overwrite behavior that should be reviewed before installation.

Install only if you intentionally want generic review documents to become html-collab files. Avoid using it for confidential drafts unless you are comfortable with full document text and feedback being copied into chat, keep backups before revisions, and prefer the bundled template over remote GitHub fallbacks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to fetch a remote template from GitHub if a local file is unavailable, which expands the skill from local HTML drafting/review into network retrieval. Remote content can change, be unavailable, or be replaced with malicious/incompatible instructions, creating a supply-chain and prompt-injection risk that is not necessary for the core task.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The READ flow authorizes Bash/Python image processing, including executing a compression script over embedded image data. This grants code/tool execution beyond simple document review and can expose the system to unnecessary tooling risk, dependency issues, and broader file/tool access than the skill's stated purpose requires.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The HTML contains an AI-targeted bootstrap comment instructing an assistant to retrieve instructions from an external GitHub URL and alter its workflow based on that content. This is a prompt-injection vector and a supply-chain risk: a downstream agent may follow hidden document instructions, fetch untrusted remote content, and expand its behavior outside the user's immediate request.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The JSON bootstrap metadata embeds a remote skill URL plus an instruction telling agents to fetch it if the skill is not loaded. Even though it is in a JSON island, agents may parse machine-readable sections, making this another hidden instruction channel that can trigger untrusted network retrieval and prompt-context manipulation.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger conditions are very broad, including generic requests like 'write a doc' or 'draft something for review' without specifying format. This can cause the skill to activate unexpectedly in ordinary workflows, changing output format and behavior without clear user intent and increasing the chance of inappropriate data handling or side effects.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs direct overwrite of the original file in environments with file access, without requiring confirmation, backup creation, or warning. This can destroy the original annotated record, make recovery difficult, and cause unintended data loss if the revision is wrong or incomplete.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill explicitly tells the model to paste the full article contents and all comments/edits into the chat transcript and emphasizes that the conversation record is permanent. This needlessly republishes potentially sensitive document contents and human feedback into a broader retention surface, increasing confidentiality and privacy risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal