ClawHub

Parallel Responder

Security checks across malware telemetry and agentic risk

Overview

The skill is not malicious, but it encourages broad automated task handling, child-agent workflows, installs, and file saves without clear permission boundaries.

Install only if you are comfortable with a skill that may steer the agent toward background-style task execution and progress reporting. Require explicit approval before installs, deletes, restarts, sub-agent launches, or file writes, and prefer a version that documents shared context, allowed write locations, cancellation, and cleanup behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger keywords are very broad and include common conversational terms, which can cause the skill to activate or classify actions for ordinary user messages without clear user intent. In a skill that can execute tasks, spawn sub-agents, and send progress updates, ambiguous activation increases the chance of unintended operations or misleading autonomous behavior.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The examples normalize handling vague requests such as installation, writing, and memory organization without clearly stating permission checks, scope limits, or approval gates. Because the skill advertises immediate execution and parallel handling, users may unknowingly trigger actions with side effects before reviewing what will happen.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill demonstrates saving generated output to a filesystem path but does not warn that it may write files or modify persistent state. In an agent environment, undocumented write behavior can lead to unexpected data changes, overwrites, or creation of artifacts in sensitive locations, especially when combined with autonomous or parallel execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal