ClawHub

documentation-engineer

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-focused instruction-only skill with no executable code, but users should approve any analytics or customer-feedback data use before deployment.

Install is reasonable for documentation work. Before using it on production docs or customer-support material, require the agent to use sanitized or aggregated analytics, avoid raw tickets unless explicitly approved, document any tracking added to a docs site, and verify that reported metrics are measured rather than assumed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The checklist explicitly requires analytics tracking, but provides no privacy notice, consent requirement, or data-minimization guidance. In practice this can lead the agent to recommend or implement telemetry that collects user behavior without appropriate disclosure, governance, or compliance review.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs analysis of user feedback, traffic analytics, search queries, and support ticket themes, all of which may contain sensitive or personal data, without any handling restrictions. This increases the risk of unnecessary exposure of internal customer information, secrets in tickets, or regulated data during routine documentation work.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The implementation phase says to add analytics as part of building the documentation system, but omits privacy, consent, and governance constraints. That creates a realistic path for the skill to operationalize tracking code or data pipelines in documentation sites without validating legal, policy, or user-notice requirements.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal