ClawHub

agent-builder

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only skill for helping users create OpenClaw agent workspace files, with no executable code or hidden data transfer found.

Review generated agent files before using them, especially MEMORY.md and HEARTBEAT.md. Keep secrets out of the workspace, and only enable external APIs, outbound messaging, or high-autonomy behavior after explicit review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest description says to use the skill when the user wants to 'design a new agent' or 'iterate on an existing agent's behavior,' which is very broad and lacks explicit trigger boundaries or exclusions. In a markdown/manifest context, this could overlap with many ordinary conversations about agents and makes it unclear when this skill should activate versus more specialized skills.

Natural-Language Policy Violations

Low
Confidence
92% confidence
Finding
This markdown file contains Chinese text embedded within otherwise English documentation, which effectively imposes a specific language on part of the content without offering a language choice or explaining a locale-specific requirement. The policy for natural-language violations applies to all file types, and this is a clear language/locale consistency issue.

External Transmission

Medium
Category
Data Exfiltration
Content
### Patterns
*   **MRKL**: Modular Reasoning, Knowledge and Language. A router sends queries to expert modules (calculators, weather APIs).
*   **Toolformer**: Fine-tuning LMs to self-supervise API calls.
*   **Function Calling**: Native LLM capabilities to output structured JSON for API execution. 通过 SkillBoss API Hub (`POST https://api.heybossai.com/v1/pilot`) 可统一路由至 100+ AI 服务,无需管理多个 API Key。

## Common Architectures
Confidence
50% confidence
Finding
https://api.heybossai.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal