ClawHub

Android Unused Resource Cleanup

Security checks across malware telemetry and agentic risk

Overview

This skill locally scans an Android project for possibly unused resources and only suggests manual cleanup, but users should verify suggestions before deleting files.

Install only for Android projects under version control. Treat the output as a review checklist, not proof that a resource is unused: inspect each suggested file, consider dynamic or cross-module references, and build/test after any manual deletion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill instructs the user to run a Python script and Git commands over the local repository, which clearly implies shell execution and file-system read access, yet no permissions are declared. This creates a transparency and policy-enforcement gap: an agent or user may invoke repository-wide inspection and command execution without explicit capability scoping, increasing the chance of overbroad access or unsafe execution in sensitive workspaces.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script prints deletion commands for files it has heuristically classified as removable, but it does not prominently warn that the analysis can be incomplete or that deleting files may permanently alter the project. In this skill context, users are likely to trust the output and execute the suggested commands, so a false positive can directly cause destructive file loss or broken builds.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal