Back to skill

Security audit

Skill 查找器

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed skill-recommendation and privacy helper; its broad activation and local skill access deserve awareness but do not show hidden or malicious behavior.

Install only if you want a helper that inventories your local skills and recommends additions. Before enabling network mode, note that it may send an anonymous device ID, installed skill names, and search keywords to Mapick; choose local mode if that is not acceptable. Review every install, update, cleanup, or notification plan before confirming.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill metadata and trigger phrases are broad enough to match ordinary user requests about finding tools or getting recommendations, which can cause unintended activation. This is dangerous because an over-triggering skill that recommends and installs third-party skills increases the chance of steering users into unnecessary package discovery or installation flows without clear intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The activation examples are ambiguous and overlap with generic requests like 'I need something that can...' without constraints tying the request specifically to ClawHub skill search. In context, this matters because the skill's workflow proceeds from search to inspect to install, so accidental invocation could influence users toward executing package-management actions they did not explicitly request.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are broad, generic user intents such as 'find skill', 'search skill', and 'what skills are there', which can cause the skill to activate during ordinary conversation even when the user did not explicitly intend to invoke it. In a skill-dispatch system, this increases the chance of unintended routing, confusing responses, and accidental installation guidance exposure, especially because this skill is designed to discover and help install other skills.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.