ClawHub

War Intelligence Monitor

Security checks across malware telemetry and agentic risk

Overview

This skill matches its stated purpose, but it asks for highly sensitive conflict-zone location data and recurring external alerts without enough privacy or shutdown guidance.

Review carefully before installing. Use coarse locations where possible, keep the config out of synced folders and repositories, restrict file access, redact alert payloads before sending them to messaging services, set an end date for any cron jobs, and rely on official local emergency and embassy alerts for safety decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation description is broad enough to match general safety, travel, or location-risk questions, which could cause the skill to activate outside narrowly intended wartime monitoring scenarios. In this context, over-triggering is more dangerous because the skill handles crisis guidance and highly sensitive personal location data, so accidental invocation could expose private data or deliver inappropriate emergency-style advice.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs users to store precise location, shelter locations, nearby military or infrastructure targets, evacuation destinations, and emergency contacts in a local config without any privacy warning, minimization guidance, or handling restrictions. In a war-intelligence context, this is especially sensitive: if exposed through logs, backups, prompts, or compromise of the host environment, it could reveal the user's whereabouts, support network, and proximity to strategic sites.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs users to collect and store extremely sensitive data including home address, precise coordinates, nearby shelters, evacuation destination, nearby military-related targets, and emergency contacts in a local config file, but gives no privacy, minimization, retention, or access-control guidance. In the context of a wartime intelligence skill, this data materially increases personal safety risk if exposed, because it can reveal a user's location, movement plans, and proximity to strategic sites.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide tells the user to have the agent create persistent cron jobs and send alerts to external services, but does not warn that this modifies the host system and may continuously transmit sensitive wartime location and threat data off-device. In this skill's context, automated exfiltration to Discord, Telegram, or similar channels is especially dangerous because briefings may include precise location, evacuation intent, or military-target proximity information that could be exposed through compromised accounts, misconfiguration, or insecure channels.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal