ClawHub

zero-loss-methodology

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only research workflow that creates local traceability records and copies input files, but those behaviors are visible and aligned with its stated purpose.

Install this only if you want a rigorous, artifact-heavy research workflow. Use it in a dedicated project folder, avoid unnecessary sensitive inputs, and review copied source files, manifests, registries, and process logs before sharing any generated package.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger text is so broad that it can cause the skill to activate for many ordinary research, planning, review, and document tasks without clear user intent. In practice, this can force an unexpectedly heavy workflow, broaden data handling, and increase the chance that sensitive material is processed, copied, or retained when a simpler approach was expected.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to use the methodology whenever broad categories of work are detected, effectively overriding user choice and reducing meaningful consent. That is dangerous because the methodology includes persistent artifacts, external validation steps, and workflow expansion that may exceed what the user requested or expected.

Ssd 3

Medium
Confidence
96% confidence
Finding
The methodology requires detailed, persistent records of source content, decisions, verification state, and process history, which creates unnecessary data retention and duplication risk. If the source set contains sensitive, proprietary, regulated, or personal information, these artifacts can expand exposure surface and preserve data longer and in more places than needed.

Ssd 3

Medium
Confidence
97% confidence
Finding
Copying original user files into a new project structure and generating registries, manifests, and histories materially increases the number of locations where sensitive data may reside. That duplication raises the risk of accidental disclosure, over-retention, and inclusion of confidential or regulated data in derivative artifacts that may be shared more broadly than the originals.

Ssd 3

Medium
Confidence
96% confidence
Finding
The required live Process History and permanent error logging encourage continuous recording of workflow details, decisions, failures, and file changes, which can capture sensitive user information indirectly. Because the logging is mandated as permanent and comprehensive, it conflicts with least-privilege and minimization principles and can turn routine work into a durable audit trail of sensitive context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal