ClawHub

skillforge

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill generator whose file creation is disclosed and aligned with its purpose, but users should choose the output folder carefully and review generated files before installing them.

Install this only if you want an agent to generate skill package directories. When using it, specify a new output folder, review the planned file tree before writing, avoid overwriting existing skills, and inspect any generated scripts or instructions before installing or sharing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description is broad enough to match generic skill-authoring or packaging requests, which increases the chance this skill is invoked outside its intended scope. Over-broad triggers can cause unintended execution of its file-generation workflow, including producing and writing artifacts when a user only wanted advice or partial edits.

Vague Triggers

Low
Confidence
82% confidence
Finding
The usage guide asks for natural-language trigger examples but does not require counterexamples or boundaries that distinguish valid invocations from nearby unrelated requests. This can further broaden routing behavior and make accidental activation more likely, especially in systems that rely on examples for selection heuristics.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow explicitly instructs the agent to write SKILL.md and resource files to disk without requiring user confirmation, destination constraints, or a warning that filesystem state will be modified. In an agent environment, this can lead to unauthorized or unexpected file creation/overwrite, which is especially risky because the skill generates multiple files and directories automatically.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The usage-documentation template explicitly requires broad trigger phrases such as “帮我 XXX”, which can cause the skill to activate for generic user requests unrelated to safe skill generation. Over-broad descriptions and trigger examples increase unintended invocation, prompt-surface expansion, and the chance that this powerful content-generation skill is selected in inappropriate contexts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal