ClawHub

Case Study Writing

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent case-study writing helper with disclosed CLI-based research and charting examples, but users should treat its external tools carefully.

Before installing, verify the inference.sh CLI installer or use the manual checksum path, use an appropriate inference.sh account, and avoid sending confidential customer names, quotes, metrics, or unpublished results to external search or execution apps unless you have approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill declares `allowed-tools: Bash(infsh *)`, which permits broad CLI execution under the `infsh` prefix and is more capability than a case-study writing skill strictly needs. Even though examples focus on research and chart generation, this expands the attack surface and could enable unintended command execution or unsafe access to external services if the skill is invoked with adversarial input.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger list contains broad phrases like `use case`, `case study`, and `customer story`, which may cause the skill to activate in contexts unrelated to this specific workflow. Over-broad activation increases the chance that users are funneled into a skill that performs networked research or shell-backed actions when they did not explicitly intend that behavior.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill includes commands that send user-provided research queries to third-party services like Tavily and Exa, but it does not warn that prompts, company names, and potentially sensitive business context will leave the local environment. In a case-study workflow, users may include confidential customer names, metrics, or unpublished results, making silent transmission to external services risky.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal