ClawHub

AI Chief Growth Officer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a business-growth guidance skill with overly broad trigger wording, but no evidence of hidden access, credential use, persistence, destructive behavior, or data exfiltration.

Installers should treat this as a broad business-growth advisor, not an autonomous operator. Review its advice before acting on it, and be aware it may activate on generic AI, revenue, or conversion questions unless the skill author narrows the trigger wording.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger scope is broad enough to match many ordinary business or marketing requests, which can cause the skill to activate when the user did not specifically intend to invoke an AI growth-orchestration system. In an agent environment, unintended invocation can lead to irrelevant automation, overconfident strategy generation, or unnecessary access to downstream tools and context, increasing the chance of misrouting or unsafe autonomous behavior.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The listed trigger phrases are common-language requests like '怎么提升转化' and '怎么用AI赚钱', which are broad enough to capture many benign, ambiguous, or unrelated prompts. In this skill's context, broad matching is more dangerous because the skill is designed to act as an authoritative orchestration layer, so accidental invocation can misroute users and produce overly prescriptive business advice outside intended scope.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The listed trigger phrases are common-language requests like '怎么提升转化' and '怎么用AI赚钱', which are broad enough to capture many benign, ambiguous, or unrelated prompts. In this skill's context, broad matching is more dangerous because the skill is designed to act as an authoritative orchestration layer, so accidental invocation can misroute users and produce overly prescriptive business advice outside intended scope.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal