ClawHub

VerifyGuard — AI产出预检器

Security checks across malware telemetry and agentic risk

Overview

This is a local, user-run Markdown precheck tool, but its documentation overstates link checking because it does not actually verify URL reachability.

Install only if you want a lightweight local pre-publication scanner. Do not rely on it to confirm that external URLs are reachable, and be aware that secret findings may print matching snippets from the file to your terminal or logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill description materially overstates and misrepresents behavior, especially claiming link availability checks via Python + requests when the implementation apparently performs no network validation. Security tooling that claims checks it does not actually perform can create false assurance, causing users to publish content or submit artifacts under the mistaken belief that links and leak checks were comprehensively verified.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill advertises automatic link availability checking, but the implementation only parses Markdown links and labels HTTP/HTTPS URLs as needing manual verification. In a pre-publication security/integrity tool, this gap can create a false sense of assurance, allowing broken links or references to unavailable resources to pass review unnoticed.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The docstring states the function checks Markdown link format, while higher-level documentation claims link reachability verification. This inconsistency is dangerous because operators may rely on the stronger claim and assume links were validated on the network when only syntax was inspected.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal