ClawHub

Claude Code Master

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent Claude Code workflow guide, but it teaches persistent hooks, token handling, broad write-capable agents, and third-party command execution with weak safety boundaries.

Review carefully before installing or copying the setup commands. Do not store real tokens in shell startup files, do not use chmod 777 for hook output, avoid sending private code to third-party CLIs unless explicitly intended, and only enable write-capable or autonomous agents with clear project scope and rollback controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill describes workflows that create files and directories such as `.claude/agents/`, `.claude/output-styles/`, `CLAUDE.md`, specs, and other project artifacts, but it does not declare corresponding permissions. That mismatch can cause the agent to perform file-writing behavior without transparent capability disclosure, weakening user consent and sandbox/policy enforcement.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The guide instructs users to configure hooks that read a bearer token from the environment and perform authenticated HTTP callbacks. Even though the endpoint is localhost, this expands the skill from passive documentation into operational automation that can transmit execution state and depends on credential handling, increasing attack surface and misuse risk.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This example embeds a mandatory shell command that invokes an external CLI against a user-supplied file path. Even though it is presented as documentation, skills and style files can normalize or trigger command execution workflows, creating risk of unintended data exfiltration to third-party tools, unsafe shell usage, and over-broad trust in external analyzers.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The security-audit style includes direct execution of multiple local scanning commands, which materially expands capability from guidance into actionable command orchestration. In an agent skill context, that can lead to unauthorized scanning, execution in the wrong environment, disclosure of repository contents to tools, and risky assumptions that these commands are always safe or appropriate.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The `data-scientist` agent is framed as an analysis/query specialist but is granted `file_edit`, which expands it from read/query behavior into write-capable behavior. That mismatch weakens least-privilege boundaries and could let a prompt intended for analysis silently modify project files or persist unsafe changes.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The `code-reviewer` is described as a checking/review agent, yet it has `file_edit` permissions. A reviewer should normally be non-mutating; giving it write capability allows unauthorized or unexpected code changes during what users may assume is a read-only audit step.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation criteria are broad, generic, and tied to common Claude Code assistance topics, which increases the chance this skill will be invoked for many unrelated or only loosely related requests. In an agent environment, over-broad auto-activation can cause unintended instruction injection, workflow hijacking, or inappropriate reliance on this skill's guidance even when a narrower or safer skill should apply.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger text says the skill 'MUST BE USED' for a broad set of common Claude Code activities, including optimization, workflows, best practices, and advanced configuration. Overly broad mandatory triggering increases the chance this skill will be invoked in unrelated contexts, causing instruction takeover, unnecessary exposure to repository context, and potentially unsafe workflow changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples persist and later transmit full task output and working-directory information without any privacy warning or data minimization. Claude output can contain source code, secrets, file paths, or user data, so normalizing this pattern can lead to unintended disclosure to downstream services or logs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document tells users to export a bearer token in shell startup files without discussing credential persistence risks. This can expose tokens to other local processes, inherited shells, backups, accidental commits of dotfiles, and long-lived compromise if the token leaks.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The `code-reviewer` description says it must be used broadly after writing or modifying code, which creates ambiguous routing and excessive automatic invocation. Over-broad triggers increase the chance of unnecessary agent execution, privilege exposure, and accidental use of tools in contexts the user did not explicitly request.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The debugger is set to trigger on essentially any technical issue, code error, or abnormal behavior, which is too broad to route safely. In a multi-agent environment this can cause over-invocation of a tool-capable agent and increase the risk of unintended file changes or command execution.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The `data-scientist` trigger language covers a wide range of analytics, querying, visualization, and decision-support tasks without clear limits. Such expansive routing can invoke an agent with shell and edit capabilities in situations where a narrower, safer workflow would be more appropriate.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The PRD writer is configured to activate for a very broad set of planning and documentation tasks, which can lead to unreliable or unintended routing. While lower risk than shell-capable agents, broad activation still reduces predictability and may expose web/file tools when not necessary.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The steering architect's description covers project initialization, architecture analysis, specification creation, and stack analysis with insufficient boundaries. Because it also has `bash` and write access, broad invocation can expose powerful tools during loosely related conversations.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The strategic planner trigger language overlaps with many ordinary planning and design activities, making it hard to predict when the agent should activate. Although it is less dangerous than an executor, ambiguous routing can still cause inappropriate delegation and unexpected file creation or web lookups.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The task executor is described as the default agent for concrete coding, bug fixes, and test runs, which is broad enough to match most implementation work. Because it has both `file_edit` and `bash`, over-broad routing materially increases the risk of unintended code execution, repository changes, and automated task chaining.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The workflow includes analyzing user behavior data and identifying churn traits but provides no warning or guardrails for privacy-sensitive, potentially personal, or regulated data. In a data-analysis context this omission is meaningful because it normalizes behavioral profiling without reminding users to validate consent, minimization, and access controls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly instructs users to clone a third-party repository, run `./install.sh`, and register MCP servers via commands that modify `~/.claude` and may execute remote packages through `npx`, but it does not warn about trust boundaries, side effects, or the need to review scripts first. In a skill intended to guide workflow setup, this is dangerous because users are likely to copy-paste commands directly, leading to unreviewed code execution and persistent local configuration changes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal