ClawHub

Prompt Engineer

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only prompt-engineering helper with no code, installs, credentials, persistence, or hidden data access.

Reasonable to install for prompt-writing and prompt-review work. Review outputs before sharing them, and do not use it with prompts that contain API keys, credentials, confidential business logic, or private user data unless you are comfortable with that full prompt being displayed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The frontmatter description is broad enough to match many generic AI-related tasks such as 'building AI features' or 'improving agent performance,' which can cause the skill to be invoked outside a narrowly bounded prompt-engineering context. Over-broad routing increases the chance that this skill overrides more appropriate domain-specific skills and exposes users to risky prompt-generation behaviors, including emitting full prompt text for sensitive use cases.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The 'Use this skill when' guidance is self-referential and vague ('prompt engineer tasks or workflows'), which provides little boundary enforcement and can trigger on loosely related requests. In context, this is somewhat more dangerous because the skill strongly instructs the agent to always reveal complete prompt text, so accidental invocation could leak or generate high-risk prompt content in situations where summarization or safer abstraction would be preferable.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal