Back to skill

Security audit

Dont Hack Me

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Clawdbot security checker, but its broad trigger phrases could make it read sensitive local configuration before the user clearly asked for that specific audit.

Install only if you want an agent to inspect your Clawdbot/Moltbot configuration. Invoke it explicitly for that config, review the report before sharing it because it may reveal security details, and approve fixes only after understanding that tokens, gateway access, channel policies, and file permissions may change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation phrase "run a security check" is broad and could plausibly match ordinary user requests that were not intended to invoke this specific skill. Because the skill reads a local config, runs shell commands, and may later offer to modify files, accidental activation expands the chance of unintended sensitive-file access and security-relevant actions.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Examples like "check my security settings" and "am I secure?" are highly ambiguous and overlap with normal conversational requests. In context, this skill performs filesystem reads and can initiate an auto-fix workflow, so broad triggers materially increase the risk of unintended execution and disclosure of local configuration details.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.