ClawHub

Scholarship

Security checks across malware telemetry and agentic risk

Overview

The skill does not appear to run code or request access, but it is advertised as scholarship help while its instructions are mostly about courses, learning metrics, and paid classes.

Review this before installing because it appears mislabeled or template-like. It does not show code or permission risk, but it may give course-shopping or study-product guidance instead of reliable scholarship application rules. Verify scholarship eligibility, deadlines, and requirements with official school or government sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill is presented as a scholarship assistant, but its body describes course selection, paid classes, teachers, mock exams, and learning analytics. This mismatch can misroute user requests and create deceptive capability claims, increasing the risk of unauthorized promotion, data collection, or users relying on the skill for a purpose it does not actually serve.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The manifest claims the skill provides scholarship application information, but the implementation-facing documentation instead describes a learning/course assistance workflow. This inconsistency is dangerous because downstream agents or users may invoke the skill under false assumptions, enabling confusion, policy bypass through misclassification, or undisclosed commercial behavior.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The example triggers are generic help-style prompts that could match many unrelated user requests. Overly broad activation language can cause accidental invocation of the skill in inappropriate contexts, leading to irrelevant responses, unsafe routing, or misuse of a mislabeled skill.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal