ClawHub

Assess Me

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed self-audit checklist that writes a short troubleshooting summary to a temp file, with some privacy cautions users should understand.

Use this as a lightweight debugging checklist. Before installing or invoking it, understand that it asks the agent to write a short self-audit to /tmp/assess-me.md; do not include secrets, credentials, private user content, system prompts, or detailed internal reasoning in that file, and delete it after use if the workspace is shared or sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation criteria are extremely broad ('debugging goes in circles', 'results are confusing', 'need a sanity check'), so the skill can be invoked in many ordinary troubleshooting contexts where it may not be appropriate. Because the skill then asks the agent to externalize its current thinking state, this broad trigger surface increases the chance of unnecessary exposure of sensitive internal context or reasoning artifacts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs writing the agent's 'current thinking state' to /tmp and then reading it back, with no warning or filtering for secrets, system prompts, user-sensitive data, or other internal-only content. Persisting such material to a temporary file creates an unnecessary disclosure surface because temp storage may be accessible to other tools, processes, logs, or later steps in the workflow.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal