ClawHub

Find Skills - Universal Discovery

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed skill-marketplace helper, but it can steer broad requests into installing third-party agent skills without enough user control or source-review guidance.

Install only if you want a marketplace helper that can search for and install other agent skills. Use it only for explicit skill-discovery requests, manually approve every install command, prefer trusted repositories, and review any target skill before installation because installed skills may persist and change future agent behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The activation guidance is broad enough to trigger on generic requests like 'how do I do X', which can cause this skill to engage in many contexts where users did not explicitly ask to browse or install third-party skills. In this skill, that is risky because the subsequent workflow encourages discovery and installation of external packages/repositories, increasing the chance of unnecessary exposure to untrusted code and supply-chain actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs installing third-party skills from GitHub and community marketplaces without any safety warning, trust verification, permission prompt, or sandboxing guidance. Because these installations can introduce new code, prompts, or agent capabilities from untrusted sources, this creates a clear supply-chain and system-modification risk, especially in a skill dedicated to discovering from a very large ecosystem of community content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal