ClawHub
Back to skill

Security audit

吞贼·净化魄

Security checks across malware telemetry and agentic risk

Overview

This instruction-only self-healing skill has no executable payload, but it asks the agent to perform broad cleanup and recovery actions without clear user approval or scope limits.

Install only if you will supervise it closely. Use it first for read-only diagnostics, and require a proposed change list plus explicit approval before deleting files, restarting processes, triggering garbage collection, rolling back versions, or sharing diagnostic reports from logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger examples are broad enough that ordinary user statements like 'the system seems unstable' or 'clean redundant files' could activate autonomous diagnostic or cleanup behavior without clear confirmation boundaries. In a skill explicitly designed for self-healing, cleanup, rollback, and process recovery, ambiguous triggering increases the chance of unintended file/process-affecting actions being taken on benign conversational input.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises cleanup and self-healing actions that may delete files, restart processes, trigger garbage collection, or roll back versions, but it provides no user warning, safety constraints, or confirmation requirements. Because the rest of the document describes automatic remediation capabilities, the lack of safeguards materially increases the risk of accidental destructive actions and service disruption.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal