ClawHub

Assetflow

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for digital asset management, but it gives broad asset-moving and archival authority without enough upfront control language for high-impact storage changes.

Review this skill carefully before installing in production asset libraries. Use it first on a test folder or with read-only credentials, and require previews plus explicit approval before any move, sync, archive, retention, or cold-storage operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill's safety claims are internally inconsistent: it says it never alters file contents, yet elsewhere it advertises generating thumbnails, previews, proof sets, and watermarking. This can mislead operators into granting trust or permissions under false assumptions, increasing the chance of unintended asset modification or derivative-file generation in production workflows.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The overview promotes broad automated organization, storage, retrieval, and cross-provider orchestration without clearly warning that assets may be moved, refiled, synced, or archived automatically. In an agent skill, that omission is risky because users may invoke it expecting analysis-only behavior while it performs state-changing operations on large asset sets.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The compliance example instructs automatic archival of assets older than two years to cold storage and retention handling without an explicit warning about the operational consequences. This is dangerous because retention and archival actions can reduce accessibility, increase restoration delays/costs, and inadvertently affect records that should remain immediately available.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal