ClawHub

java-optimization

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a Java performance-optimization helper, with the main issue being broad activation wording rather than harmful behavior.

Install this if you want Java performance guidance, but be aware it may activate on generic performance, cache, or database-tuning requests. If your agent supports confirmation or scoped skill routing, use it when the request is not clearly Java optimization work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes broad phrases such as '数据库优化', '缓存策略', and '性能分析', which are common in ordinary Java or backend discussions and may cause the skill to activate when the user did not specifically request this optimization skill. This creates an over-broad routing condition that can lead to unintended invocation and misapplication of the skill's guidance.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The English keyword trigger includes a broad phrase like "improve performance," which can match many non-Java requests and cause the skill to activate outside its intended scope. Over-broad activation can route users into irrelevant optimization guidance, increasing the chance of incorrect assistance or context confusion in multi-skill environments.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The regex pattern for general performance improvement is overly generic and may match requests unrelated to Java, such as frontend, database-only, or system-level tuning questions. This broad matching increases unintended invocation risk and can lead to inappropriate tool or skill selection.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal