ClawHub

performance-monitor

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only performance monitoring skill whose broad telemetry behavior matches its stated purpose, but users should scope it carefully before use.

Before installing, decide which systems it may monitor, what telemetry is allowed, who can see dashboards and alerts, whether it may install collectors or enable integrations, and how long data should be retained. Do not allow secrets, sensitive payloads, or personal data into monitoring streams unless that handling is approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation guidance is broad and underspecified, telling the skill to query system architecture and performance requirements whenever invoked without defining clear trigger boundaries, authorization checks, or exclusions. In a monitoring skill that touches system-wide metrics across distributed agents, ambiguous scope can cause over-collection, unintended activation, or access to data beyond the user's intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill is designed to collect, aggregate, analyze, and retain extensive operational data, including system, usage, cost, and potentially security-related metrics, but it provides no warning that this data may be sensitive. In this context, users may enable monitoring without understanding privacy, confidentiality, or compliance implications, increasing the risk of exposing internal architecture, workloads, or user-derived telemetry.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal