ClawHub

Use when user input is vague, underspecified, lacks boundaries or acceptance criteria, or would benefit from being reframed into a more executable prompt before work begins. Also use when user explicitly asks to optimize/refine/improve a prompt.

Security checks across malware telemetry and agentic risk

Overview

This is a Markdown-only prompt-refinement helper whose behavior is disclosed, though users should be aware it may rewrite ambiguous requests and can skip confirmation when asked.

Install this if you want an agent to proactively clarify vague prompts. Keep the default confirmation flow for anything that could change files, spend money, publish content, or affect accounts, and be cautious with casual phrases like "just do it" because this skill may treat them as permission to use the rewritten prompt immediately.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation description is broad enough to match many normal user requests such as improving, clarifying, or reframing text, which can cause the skill to trigger in situations where the user did not clearly ask for prompt rewriting. Over-broad invocation increases the chance of unrequested mediation of user input and can change workflow or route data into other components unexpectedly.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Using everyday language like 'just do it' as a control phrase for auto-apply is ambiguous because users often say it casually without intending to waive confirmation or prompt review. That ambiguity can bypass the safer confirmation path and cause the system to execute a refined prompt the user never explicitly approved.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill says 'just do it' both enables auto-apply and is a reason not to use the skill, creating contradictory trigger logic. Conflicting rules make control flow unpredictable and can be exploited or mishandled by an agent, leading to accidental execution without the intended refinement or confirmation behavior.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Continue Modes

1. **Popup-confirm (default)** — Show refined prompt, popup to choose refined vs original, execute after choice
2. **Auto-apply** — When user says "just do it / skip confirmation", show refined then execute immediately
3. **Optimize-only** — When user only asks to refine without executing, return refined result only

## When NOT to Use
Confidence
88% confidence
Finding
skip confirmation

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal