ClawHub

agent-generator

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is coherent for generating AI agents, though its examples can send requirements to OpenAI and should be used carefully with sensitive data.

Safe to install as an instruction-only helper. Before adapting the examples, keep API keys in environment variables or a secret manager, remove secrets or confidential details from requirements unless you intend to send them to the model provider, and review generated agents or code before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill’s routing description is overly broad and can cause it to be selected for many generic prompt, coding, or AI design requests outside a tightly defined scope. Overbroad invocation increases attack surface because a powerful code- and agent-generation skill may be inappropriately engaged in contexts where safer, narrower skills should handle the task.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example sends the full user-supplied requirements object directly to an external OpenAI API via JSON.stringify without any minimization, redaction, consent flow, or warning that potentially sensitive project data may leave the local environment. In an agent-generation skill, requirements can easily contain proprietary architecture details, credentials mistakenly pasted by users, internal tool names, or regulated data, making silent third-party transmission a realistic confidentiality risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal