ClawHub

Preflight Workflow

Security checks across malware telemetry and agentic risk

Overview

The main checklist skill is low-risk, but the package makes persistent shell changes and includes an undocumented publishing script that can use a logged-in ClawHub account.

Review install.sh before running it, especially the PATH edit to your shell startup file; consider manual installation instead. Do not run publish.sh unless you intentionally want to publish this package with your ClawHub session. Use an explicit command-style trigger for the agent workflow to avoid accidental activation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The installer persistently modifies the user's shell startup file to alter PATH, which is a system-wide environment change beyond simply installing a preflight-checking skill. While not overtly malicious, this creates unnecessary persistence and trust expansion: any executable placed in the install directory will be resolved from PATH in future shells, increasing the blast radius if that directory or its contents are later modified.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Automatic shell configuration changes are not clearly necessary for the stated purpose of running four pre-operation checks. This mismatch between declared functionality and installer behavior is risky because users may not expect persistence or profile modification, making the installation less transparent and easier to abuse in a trojanized variant.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase "加载 preflight-workflow skill,说\"先跑 preflight\"" is broad and not scoped to a distinct activation context. In agents that monitor natural-language conversation, a common phrase like "先跑 preflight" could be invoked unintentionally by user text, pasted documentation, or quoted examples, causing the skill to activate when not explicitly intended.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The English invocation guidance, "Load the skill and say 'run preflight'", is similarly vague and conversational. Because "run preflight" is a plausible normal phrase in deployment, release, or checklist discussions, an agent may misinterpret ordinary text as a command and activate the workflow unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes to ~/.bashrc or ~/.zshrc without a prior explicit warning or confirmation. Silent modification of startup files is dangerous because it establishes persistent execution context changes that users may overlook, and similar behavior is commonly associated with unwanted persistence mechanisms.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The phrase "说\"跑preflight\"就能触发" defines an activation trigger but does not specify scope, authorization, or safety boundaries for when the workflow should run. In an agent setting, underspecified trigger phrases can cause accidental or context-inappropriate invocation, leading to workflow execution at the wrong time or in the wrong context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal