ClawHub

Skill Creator Claude

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate skill-building toolkit, but it needs Review because it can run local automation, stop local processes, send skill/eval content to Anthropic, and persist sensitive transcripts.

Install only if you are comfortable with a developer-focused skill that runs local Python tooling, uses subagents or the Claude CLI where available, opens local review pages, and may send skill/eval content to Anthropic during description optimization. Avoid using it with confidential skills, customer data, or secrets unless you review the scripts, prefer static/offline viewer output, avoid ports used by important local services, and disable or avoid detailed optimization logging for sensitive work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code unconditionally finds and sends SIGTERM to any process listening on the requested port before starting its own server. This can terminate unrelated local services owned by the same user, causing denial of service or accidental disruption of developer tools, and the risk is elevated because this skill is intended to create and run tooling automatically.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The README instructs users to set ANTHROPIC_API_KEY but does not warn that it is a sensitive secret or provide basic handling guidance. In a skill intended for broad cross-platform installation, this omission can lead users to expose the key in shell history, logs, screenshots, shared environments, or committed config files, increasing the risk of credential leakage and API abuse.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The guidance explicitly tells authors to make descriptions 'pushy' and trigger on broad mentions even when the user does not explicitly ask for the skill. In a skill that can execute shell commands, create files, run benchmarks, and launch background processes, over-triggering increases the chance that privileged actions occur in contexts where the user expected a normal conversational response rather than automation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends potentially sensitive local data to Anthropic, including full skill content, evaluation results, prior attempt history, and user query text embedded in failures, without any notice, consent flow, redaction, or data-classification guardrails. In a skill-creation context, those inputs can easily contain proprietary prompts, internal benchmarks, or user-derived text, so silent exfiltration to an external API is a real privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code extracts the model's hidden 'thinking' content and writes it to disk along with the full prompt, response, and rewritten response. This creates a durable local transcript containing sensitive inputs, model internals, and potentially confidential evaluation data, increasing the chance of later disclosure through logs, backups, shared workspaces, or source control mistakes.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal