ClawHub

Phy Test Data Factory

Security checks across malware telemetry and agentic risk

Overview

This skill is a local test-data generator, but it can produce unguarded database cleanup code that may delete records if run against the wrong database.

Review generated files before running them. Use this only with isolated test databases, and remove or add environment guards to any clearTestData/deleteMany cleanup code unless you are certain it cannot connect to production or shared data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
80% confidence
Finding
The skill metadata includes broad trigger phrases such as 'generate test data', 'seed database', and 'test fixtures' that are common in ordinary development conversations. This can cause unintended invocation of a skill that reads schemas and may generate database-writing or teardown code, increasing the chance of unsafe or surprising behavior.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list contains ambiguous natural-language requests like 'test fixtures', 'factory functions', and 'I need fake users/orders/products for testing', which are likely to appear in normal discussion. In this skill's context, accidental activation is more concerning because the generated output includes executable seed and cleanup code that can modify or delete data if adopted without scrutiny.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description emphasizes 'pure local file analysis + code generation' but does not clearly warn that the generated artifacts include database-writing helpers and a destructive clearTestData() teardown that issues deleteMany() calls. This can mislead users into treating the skill as non-destructive, increasing the risk that generated code is run against the wrong environment and causes unintended data loss.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal