ClawHub

dx-optimizer

Security checks across malware telemetry and agentic risk

Overview

This is a broad but transparent developer-tooling skill with no executable payloads or hidden data access found.

Install this only if you want an agent to help optimize developer tooling and workflows. Review changes carefully before applying them, especially CI/CD, pre-commit hooks, release automation, build scripts, test behavior, IDE settings, and local environment setup that could affect other developers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill says 'When invoked' and then proceeds to review workflows and 'implement comprehensive developer experience enhancements' without defining clear triggers, authorization boundaries, or scope. In an agentic environment, ambiguous invocation can cause the skill to activate in unrelated contexts and make broad changes to build, tooling, or workflow configuration that the user did not explicitly request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to 'Implement comprehensive developer experience enhancements' but provides no warning or consent gate before making potentially system-changing modifications such as CI/CD updates, pre-commit hooks, automation scripts, environment setup changes, or tooling reconfiguration. Because this skill operates in a development environment, these actions can alter repositories, local machines, or team workflows in ways that are disruptive or unsafe if performed automatically.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal