ClawHub

Cocktail Craft

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cocktail-reference skill with clean scans; its main risks are broad reference-loading instructions and install guidance that should be reviewed before use.

Review the install commands before running them, especially because they download the latest GitHub branch into an active skills directory. For use, treat recipe and technique guidance as informational: follow local drinking-age laws, consume responsibly, and use normal food-safety precautions for raw egg, dairy, carbonation, heat, and high-proof alcohol.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The installation block instructs an agent to fetch code from the network and write it into local skill directories using curl/git, unzip, and mv without explicit warnings, verification steps, or user confirmation gates. In an agent context, this is risky because a user may paste the block verbatim and cause the agent to import unreviewed remote content into an executable skill location.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger and mandatory-use language make this skill activate for essentially any cocktail-related request and require loading its references before answering. This can override normal skill-selection behavior, crowd out more appropriate skills, and unnecessarily force broad context ingestion, which increases attack surface and the chance that embedded or compromised reference content influences responses.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The file gives actionable drink-design guidance that includes raw egg/dairy use, carbonated mixers, high-proof alcohol, and heating constraints, but it does not present explicit user-facing safety guidance alongside those instructions. In a consumer-facing cocktail skill, omission of basic warnings can contribute to food-safety, burn, pressure, or misuse risks, especially for inexperienced users experimenting with eggs, dairy, shaking, and heat.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal