ClawHub

Plan Ceo Review

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only planning review skill that may inspect repo context and create planning documents, but those behaviors are disclosed and aligned with its purpose.

Install this if you want an opinionated, heavyweight planning reviewer. Expect it to inspect repository history and propose or create planning docs; only approve TODO updates or docs/designs promotion when you want those files committed to the repo.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This skill goes beyond advisory review and instructs the agent to create and persist artifacts in the repository (for example writing CEO plan files and updating TODO-related content). That expands authority from analysis into modification, which can cause unauthorized repo changes, workflow pollution, or subtle prompt-driven state changes even when the user only asked for a review.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs promotion of generated review content into repository design docs, which is a content-modifying action outside a pure plan-review scope. This creates a path for unreviewed or adversarially influenced text to be copied into trusted project documentation, potentially misleading future work or embedding harmful instructions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions are broad and proactive, making it likely the skill activates during ordinary planning discussions where the user did not request this level of intervention. In context, this is risky because the skill contains instructions for repo inspection, repeated questioning, and possible file modifications, so accidental activation can amplify its impact.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal