ClawHub

agent-bom scan

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed security-scanning skill; its local config reads and advisory lookups fit its purpose, though users should invoke it only for package, dependency, SBOM, or agent-inventory security checks.

Install this only if you want an agent/dependency security scanner that may inspect local agent and MCP configuration files and send package names or CVE IDs to public vulnerability databases. For private environments, avoid generic prompts like "is this safe" unless you intend to run this scanner, and review the agent-bom package and its redaction behavior before broad inventory scans.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill metadata includes broad trigger phrases such as "verify", "is this safe", and "scan dependencies" that can overlap with common user requests outside the intended scope. In an agent environment, ambiguous activation can cause this skill to run unexpectedly and read local configuration files or initiate network lookups without the user specifically asking for this scanner.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The "When to Use" section repeats ambiguous phrases like "verify" and "is this safe" without constraining what object is being verified or assessed. Because this skill can inspect numerous local config locations and perform external CVE queries, overly broad invocation language increases the chance of unintended execution and unnecessary exposure of local metadata.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal