DELETE IT

Security checks across malware telemetry and agentic risk

Overview

The visible skill artifacts are mostly disclosed and task-focused, but one bundled review helper defaults to running nested AI review with full sandbox bypass, which deserves manual review before installation.

Review the autoreview helper before installing or invoking this skill set. If you use it, prefer --no-yolo or AUTOREVIEW_YOLO=0 unless you intentionally want a nested reviewer to run with full local filesystem and command authority. Also ensure ClawHub moderation commands are only used by trusted staff accounts with explicit targets and reasons.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill content is so vague that it does not define any clear purpose, activation scope, constraints, or permitted behavior. Ambiguous skills are risky because they can be invoked in unintended contexts or interpreted too broadly by an agent framework, increasing the chance of unsafe or unpredictable behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal