ClawHub
Back to skill

Security audit

Company Creator

Security checks across malware telemetry and agentic risk

Overview

This skill is a markdown-only helper for creating agent-company packages and its repo reading and file creation are disclosed and aligned with that purpose.

Install this if you want help scaffolding Agent Companies packages. Provide only repos or local paths you are comfortable having read, confirm the output directory, and review generated AGENTS.md, SKILL.md, .paperclip.yaml, and external source references before importing or running the company.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad and include common language such as 'create a team of agents' or 'hire some agents,' which can cause the skill to activate in contexts the user did not intend. In an agentic system that can read repos, generate files, and write package structures, unintended activation can lead to unnecessary repo analysis, file creation, or workflow changes based on ambiguous prompts.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger guidance is broad enough that many ordinary requests mentioning a repository could activate this skill, causing repository cloning/reading and packaging behavior in contexts where the user may not have intended it. In a security-sensitive workflow, over-triggering increases the chance of unintended access to local paths or remote repositories and can route execution into logic that processes untrusted repo content.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal