ClawHub

skill-router

Security checks across malware telemetry and agentic risk

Overview

This skill is a broad automatic router that can run and chain other skills, including account and deployment workflows, without enough clear scoping or user control.

Install only if you deliberately want a central automation router. Before using it, disable universal routing, require explicit confirmation before any script execution or account/deployment action, allowlist trusted downstream skills, review Discord/email/social/git integrations, and make event files and hooks easy to inspect and clear.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The router is documented as a privileged gateway that can directly execute skill scripts and automatically trigger follow-on skills via hooks. That creates a broad execution surface where misclassification, malicious skill metadata, or unsafe downstream skills can lead to unintended code execution or chained side effects well beyond simple routing.

Intent-Code Divergence

High
Confidence
92% confidence
Finding
The document claims external actions always require approval, but elsewhere defines automatic chains including mail/posting behavior and auto-triggered hooks. This policy/behavior mismatch is dangerous because operators may rely on a safety guarantee that the routing logic does not consistently enforce, enabling unintended outbound actions.

Vague Triggers

High
Confidence
96% confidence
Finding
The instruction to use this router on every request makes it effectively omnipresent, so any routing or execution flaw becomes globally reachable. In this context, the skill is the first gateway for all requests and can compose multiple downstream skills, which greatly amplifies the blast radius of prompt-trigger mistakes and unsafe matches.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Many listed trigger phrases are common conversational terms such as 'trends,' 'release,' or 'daily report,' making accidental activation likely. Because this router can chain into operational skills, overly generic triggers can cause inappropriate tool selection and unintended downstream actions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The complex-chain patterns are underspecified natural-language phrases that can map broad user requests into multi-step workflows, some of which include external communication or deployment. In a router that supports automatic chaining and hooks, this ambiguity increases the chance of overbroad execution and unintended side effects.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The safe-release chain is triggered by very broad phrases like "release," "deploy," and "push to production," which can match ordinary conversational requests and route users into a chain that includes git commit and push behavior. In a gateway/router skill that is intended to run on every request, ambiguous activation of deployment-related actions is especially dangerous because it can initiate high-impact operational workflows from imprecise user intent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The market-research chain uses vague triggers such as "market research" and "industry trends," which can be matched by many benign informational requests. Because the chain launches multiple collection skills including competitor monitoring and data scraping, overbroad routing can cause unintended external access, unnecessary data collection, and excessive automated activity.

Vague Triggers

High
Confidence
97% confidence
Finding
The idea-to-action chain is activated by highly ambiguous phrases like "review idea and execute" and "brainstorm and do it now," then proceeds to auto-compose an execution plan through skill-composer. In a first-gateway auto-router, this creates a substantial risk of escalating a loosely worded brainstorming request into real downstream actions without clear consent or bounded scope.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The chain rules specify that data is written to the `events/` directory in predictable `latest-{skill-name}.json` files, but there is no disclosure, retention guidance, or minimization requirement. Persisting inter-skill data by default can expose sensitive prompts, results, or tokens to later skills, other users, or local file readers, especially in a federated composition system.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The morning-routine chain outputs a Discord DM, but the template does not disclose that operational summaries and notifications will be transmitted to an external service. This creates a risk of sending sensitive status, cost, or notification content off-platform without the user's informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The urgent-alert chain automatically sends immediate Discord notifications when certain events occur, including code-review findings, system anomalies, important email detection, and spending thresholds, without any disclosure of external data sharing. Automatic transmission of potentially sensitive operational or security information to Discord increases the risk of unauthorized disclosure and can amplify incident impact during already sensitive events.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal