ClawHub

Context Engineering For Projects

Security checks across malware telemetry and agentic risk

Overview

This skill is a local project-context scaffolder that reads a user-provided code directory and creates documentation files without showing hidden network, credential, deletion, or execution behavior.

Before installing, confirm that you want a skill that can inspect a local code folder and create persistent context files under the chosen target root. Use a normal folder-style project name, review generated memory and decision files before relying on them, and avoid storing secrets in the generated project context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs the agent to read from an arbitrary code directory and create or update files under a target root, yet it declares no permissions or explicit safeguards. This mismatch increases the chance of unintended file-system access because users and policy layers are not clearly informed that the skill performs file reads and writes.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation text uses broad phrases like 'build/initialize project context' and similar variants that could match ordinary documentation or project-setup requests. Over-broad triggering can cause the skill to activate unexpectedly and perform disk writes or codebase inspection when the user did not intend to invoke a filesystem-mutating scaffold operation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description emphasizes scaffolding context docs but does not clearly warn that it will create directories and multiple files under a target root, with a default path in the user's home directory. That omission weakens informed consent and makes accidental filesystem modification more likely, especially when combined with broad invocation phrases.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal