ClawHub

Company Skill Creator

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent helper for creating and packaging internal company skills, but users should be careful about what internal documents, URLs, and credential-related examples they provide.

Install this only if you want an assistant to help create internal company skills and write/package files for them. Provide redacted documentation and auth-flow descriptions, not live API keys, passwords, tokens, private keys, connection strings, or sensitive production data. Review generated scripts, trigger descriptions, and packaged contents before installing or sharing the resulting skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

High
Confidence
95% confidence
Finding
The frontmatter and guidance say to use this skill whenever users mention broad workplace concepts like creating an internal skill or automating a company workflow. Such expansive trigger guidance can cause over-invocation on common enterprise prompts, increasing the chance that proprietary docs, internal URLs, and local files are pulled into the skill flow unnecessarily.

Vague Triggers

High
Confidence
97% confidence
Finding
The instructions explicitly tell authors to make generated skill descriptions 'pushy' and to trigger when in doubt. This is dangerous because it systematically biases downstream skills toward over-broad activation, amplifying the risk of accidental use on unrelated prompts and unintended access to sensitive enterprise context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill tells the agent to read files provided by the user and try fetching internal documentation URLs, including authenticated resources, without requiring a privacy warning, scope check, or explicit consent step. In a company setting, this can expose confidential documents, secrets in pasted files, or internal systems metadata far beyond what is necessary to draft a skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal