ClawHub

Vibe Prompt Compiler Portable

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed prompt-compiler for coding requests, with optional local helper scripts and no evidence of hidden network, credential, destructive, or persistence behavior.

Install if you want vague coding requests converted into structured briefs. Be aware that it may steer broad coding prompts into its scoping workflow, and only use the repo-aware flags on repositories whose README, AGENTS.md, and package.json you are comfortable letting the helper script read.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill says to 'use this skill automatically when a user gives a vague coding request,' which is a broad trigger likely to activate on many unrelated development conversations. Overbroad auto-activation can cause unrequested workflow steering, prompt rewriting, and implicit assumptions to be injected into downstream coding tasks, increasing the risk of unintended actions or degraded user control.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
Promoting a `--language-preset chinese-first` option as a useful flag without clear opt-in can cause responses, prompts, or handoff artifacts to be generated in an unexpected language context. In a coding workflow, this can create confusion, reduce reviewability, and introduce subtle operational mistakes when collaborators or tools expect another language.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The publish notes advertise 'Chinese-first output' as a general feature without stating that it depends on user preference or locale. That framing normalizes language switching as a default behavior, which can lead to unexpected prompt transformations and reduced transparency in multi-user or English-default development environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal