ClawHub

Storybook Generator

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent storybook-generation purpose, but it can install an additional unreviewed workflow skill and sends story content to AnyGen’s remote service.

Review this before installing because it can add a separate workflow skill to your agent environment. Only proceed if you trust AnyGen, use a revocable API key, avoid confidential story prompts or assets unless you intend to send them to AnyGen, and approve or review the companion skill installation instead of relying on the automatic `-y` command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger description is very broad and includes many generic visual-content requests, which can cause the skill to activate for requests that do not actually require this tool. In context, that matters because the skill routes content into an external generation workflow, increasing the chance that unrelated user data or prompts are sent to a remote service unnecessarily.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states that generation occurs server-side at www.anygen.io, but it does not provide a clear user-facing warning that prompts, story text, and possibly sensitive content will be transmitted to a third-party remote service. In this context, the broad activation scope makes the omission more dangerous because users may unknowingly send private or proprietary material off-platform.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal