Security audit

Skill Discovery

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only helper for finding ClawHub skills, with clear confirmation required before any install.

Before approving an install, review the search result, publisher, and target skill's own security notes. This skill itself is low risk, but any skill it installs may add new permissions or behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list is broad enough to match ordinary conversational phrases such as 'can you do X' or 'I need a tool for', which can cause the skill to activate in situations where no true skill gap exists. In this skill, unintended activation is more dangerous because it can steer the agent toward searching and installing third-party skills from a public registry, expanding the attack surface and increasing the chance of unnecessary or risky installs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal