ClawHub

Startup Critical Path Planning

Security checks across malware telemetry and agentic risk

Overview

This is a planning-only startup strategy skill that writes local markdown planning documents and shows no hidden code execution or data exfiltration behavior.

Install only if you want a startup planning assistant that may read local planning context and create or update markdown files in the working directory. Treat company metrics, runway, strategy, and roadmap details as confidential business information, and review the generated plan before acting on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest description includes very broad activation phrases such as 'prioritization', 'milestones', 'quarterly planning', 'yearly goals', 'OKRs', 'roadmap', and even 'DuckDuckGo', which can match many unrelated conversations. This can cause unintended invocation, leading the agent to steer user sessions into this skill when it is not the best fit, creating context confusion and potentially unnecessary file writes or workflow disruption.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill explicitly instructs the agent to write multiple markdown files (`critical-path.md`, `critical-path-excluded.md`, and optionally `critical-path-cascade.md`) but the user-facing description does not clearly disclose that files will be created or modified. In a plan-only skill this is lower risk than code execution, but it still creates a transparency and consent issue because the agent may alter the workspace unexpectedly.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal