Back to skill

Security audit

Skill Finder CN Pro

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward ClawHub skill search helper, with disclosed install guidance and no hidden or automatic risky behavior found.

Install this only if you want your agent to help find ClawHub skills. Before running any suggested install command, review the target skill's description, publisher, files, and permissions, because installing another skill can change what your agent is able to do.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad enough to match many ordinary requests about finding tools or capabilities, which can cause the skill to activate outside its intended scope. In a skill that recommends and installs other skills, over-triggering increases the chance of unsolicited package discovery or installation guidance in unrelated conversations.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The activation logic describes responding to a wide range of open-ended user requests like 'is there a skill that can...' without strong boundaries, making accidental invocation likely. Because this skill's purpose is to search, inspect, and install external skills, ambiguous activation can steer users toward third-party content they did not explicitly ask to manage.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.