ClawHub

Pre-Install Scanner

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed pre-install safety scanner for ClawHub skills, with network lookups and install gating that fit its stated purpose.

Install this only if you want a ClawHub pre-install gate that can delay or block skill installs based on limited checks. Treat it as a free lightweight scanner rather than a full audit, and review the external Gumroad upgrade link separately before purchasing anything.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill declares broad automatic interception of install-related phrases without clear scoping, consent, or narrow invocation boundaries. In an agent environment, this can cause the skill to activate unexpectedly on loosely related user requests, creating a confused-deputy risk where network checks or install-blocking logic run outside the user's explicit intent.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill declares broad automatic trigger phrases for common install-related commands, which can cause it to intercept routine user requests without clear scoping to ClawHub-only contexts or explicit consent. In a security tool, this creates workflow hijacking and possible confusion or denial of intended actions if the skill activates unexpectedly during normal installation flows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal