ClawHub

Workspace Project Standard

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local workspace organizer, but users should review its file moves and AGENTS.md/MEMORY.md edits before running it.

Install this if you want the agent to enforce this workspace layout. Use simple project slugs, review the scaffold script and resulting diffs, keep the workspace under version control, confirm before moving root files, and document only secret names or vault/env references rather than actual credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill advertises very broad trigger phrases such as 'new project', 'clean up workspace', and generic documentation requests, which can cause it to activate in situations the user did not intend. Because this skill changes workspace structure and documentation practices, unintended invocation could lead to inappropriate file moves, scaffolding, or project standardization being applied to the wrong context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill requires Layer 3 documentation to include a 'credentials reference' but gives no guardrails about storing only references versus secrets themselves. In a documentation-oriented workflow, this creates a realistic risk that agents or users will record actual credentials, tokens, or connection strings in markdown files under the workspace, leading to credential leakage through source control, backups, or later model access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal