Back to skill

Security audit

UX QA Gate

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed UI proof workflow that runs local/remote visual checks and stores proof artifacts, with no evidence of hidden or unrelated behavior.

Install this if you want ClawHub UI proof automation. Before running it, expect it to create local proof artifacts and, when explicitly asked, use remote proof infrastructure or publish screenshots and reports to a PR-related branch/comment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill's trigger language is extremely broad ('after building', 'before saying done', 'review the UX', 'run the gate') and overlaps with routine developer workflow phrases. This can cause the skill to auto-invoke in many unrelated contexts, increasing the chance of unnecessary execution, workflow hijacking, or interference with higher-priority instructions and other skills.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.