Security audit

Skill Discovery

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed ClawHub skill finder that searches for matching skills and installs only after user confirmation.

Before approving an install, review the suggested skill itself, especially any scripts or permissions it uses. This helper is low risk on its own, but it can lead to installing third-party skills, so only approve installs you intentionally requested and trust.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrases are broad enough to match many ordinary requests such as 'can you do X' or 'I need a tool for', which can cause this skill to activate even when built-in tools or existing local skills are sufficient. In this skill's context, over-triggering is risky because activation leads to searching a public registry and potentially installing third-party skills, expanding the attack surface and making social-engineering or malicious-skill installation more likely.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal