ClawHub Skill Packager

Security checks across malware telemetry and agentic risk

Overview

This is a text-only skill for packaging ClawHub/OpenClaw skills, with no hidden execution, credential use, persistence, or network behavior found.

Install this for explicit ClawHub/OpenClaw skill packaging work. Because it infers missing names, metadata, and packaging details, review the generated bundle and separate review file before publishing or installing the output.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The activation guidance says to use the skill when the user wants to "create, repair, review, rename, repackage, or republish" a skill bundle, which is a wide set of generic intents without concrete trigger phrases, boundaries, or exclusion examples. This broad wording could cause unintended invocation for ordinary requests about reviewing or renaming files unless additional scope constraints are supplied.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal