ClawHub

Code Check

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward code-checking helper that runs common project checks and fixes reported issues, with no hidden install scripts or persistence.

Install this only if you want an agent to run your project's check commands and edit files to resolve reported issues. Review commands in unfamiliar repositories before using it, especially npm/yarn scripts, tests, build steps, and audit tools that may run code, consume time, or access the network.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad enough to match common requests like 'check code' or 'run check', which can cause the skill to activate in contexts where the user did not clearly consent to an automated fix loop. Because the skill is designed to run commands and modify code until checks pass, overbroad activation increases the chance of unintended code changes and execution of project-defined scripts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description says it will run quality and security checks and fix all errors by priority, but it does not clearly warn users that it may automatically modify project files in a repeated loop. That omission can mislead users about the operational impact of invoking the skill and reduces informed consent for potentially extensive workspace changes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow instructs the agent to repeatedly run checks and fix issues until all pass, but it provides no warning that project commands like npm scripts, tests, build steps, or security tools may have side effects or consume significant resources. In untrusted or poorly understood repositories, this can lead to unexpected command execution, file modifications, and potentially unsafe script behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal