ClawHub

Command Output Display

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for displaying terminal commands and outputs, with no executable installer or hidden behavior, but it can expose sensitive command output if used carelessly.

Safe to install as a command-output formatting aid. Before using it on logs, configs, environment dumps, or service output, redact tokens, passwords, API keys, cookies, private paths, hostnames, and personal data; require explicit user intent before running any mutating commands shown in its examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill is presented as a command-output display aid, but its examples and guidance extend into creating configuration files, copying directories, and controlling services. That scope expansion can normalize operational changes without clear authorization boundaries, increasing the chance that an agent performs state-changing actions when the user only expects transparent display behavior.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The background-command section includes starting services and checking their status, which goes beyond displaying command output and into active system control. In an agent setting, this can enable persistence, unreviewed service changes, or unintended side effects under the guise of merely showing terminal activity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to show complete stdout and stderr, preserve raw formatting, and avoid truncating important information, but provides no guidance to detect or redact secrets. Command output frequently contains credentials, tokens, file paths, internal hostnames, personal data, or stack traces, so this creates a direct data-exposure risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal