ClawHub

aiq-assessment

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only AI assessment skill that is coherent with its stated purpose, though it may collect sensitive evaluation details and save a local report.

Use this skill only when you intentionally want a formal AIQ assessment. Do not paste secrets, private chats, or unnecessary HR details, and confirm the filename and location before allowing it to save or attach a report. Treat any score as advisory, not as the sole basis for hiring, promotion, or personnel decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill directs the agent to write the full assessment report to a local file by default and then deliver it as an attachment, even though file system modification is not essential to performing an AIQ assessment. This creates unnecessary side effects, may persist sensitive personal or HR evaluation data on disk, and can surprise users who only asked for an interactive assessment.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes broad phrases such as general questions about whether someone 'can use AI,' which can match ordinary conversation and cause the skill to activate unintentionally. Overbroad activation increases the chance the agent applies a specialized assessment workflow in contexts where the user did not ask for it, leading to unnecessary data collection or file-writing behavior.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The skill's usage conditions are expansive and do not clearly define boundaries for activation versus normal conversation, making it easy for the skill to engage when the user is merely discussing AI capability topics. In this skill, that ambiguity is more dangerous because activation can lead to structured evidence gathering, handling of third-party evaluation data, and default file creation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to write a report file by default without clearly warning the user that it will modify local files. This can result in silent persistence of sensitive assessment content, especially in self-diagnosis, hiring, or team-audit contexts where the report may include personal performance judgments and conversation excerpts.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal