ClawHub

Legacy Code Symptom Router

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only legacy-code triage skill with disclosed local code-reading and triage-output behavior, with minor cautions around broad triggers and a fixed output filename.

Install this only if you want an agent to help triage legacy-code work. Keep it scoped to repositories you intend the agent to inspect, review any downstream skills before granting stronger tools, and ask the agent to show or confirm triage.md before writing if that filename may already exist.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill advertises very broad activation phrases such as 'where do I start', 'what should I do with this code', 'I'm stuck', and 'overwhelmed', which can match ordinary developer conversation far outside the intended legacy-code scope. In an agentic environment, this can cause unintended invocation and routing, leading to context hijacking, user confusion, or unnecessary downstream tool use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to write a `triage.md` file in the working directory, but it does not require prior user consent or warn that it will modify the workspace. Silent file creation is risky because it changes user state unexpectedly and can overwrite existing artifacts, clutter repositories, or normalize unauthorized writes by other skills.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases for Symptom 1 include very common urgency language such as deadlines, quick fixes, and production incidents. In a first-hop router skill, broad triggers can cause unintended activation and misroute users into legacy-code workflows when they are describing ordinary engineering pressure, reducing reliability and potentially steering follow-on automation toward the wrong guidance.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The Symptom 2 trigger set contains highly frequent phrases like 'takes forever' and 'our builds are awful' that can arise in many contexts unrelated to this specific routing decision. Because this skill is intended to dispatch to downstream techniques, ambiguous activation at the router layer is more dangerous than in a standalone advisory document: it can cascade into incorrect skill selection and poor remediation advice.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The triggers around unknown behavior include generic statements like 'I don't know what to test here' and 'I'm afraid the code does something I don't expect,' which overlap with normal developer uncertainty across many domains. In this router context, such broad emotional and exploratory language can incorrectly funnel users into characterization testing even when the real issue is requirements ambiguity, testability, or architectural confusion.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The comprehension-problem triggers such as 'I have no idea what this does' and 'inherited this mess' are broad conversational phrases that can match ordinary frustration rather than the specific need for scratch refactoring. Since the referenced technique explicitly involves modifying code without tests for understanding and then discarding changes, misrouting into it could encourage risky behavior if the user has not been clearly identified as needing a comprehension-only workflow.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The morale-related triggers are especially broad because terms like 'overwhelmed' and 'we've given up' can appear in many support conversations. In a top-level router, emotional language without technical qualifiers can produce false activations and divert users away from concrete technical help, making the skill easier to manipulate through prompt wording and less dependable as an entry point.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal