Back to skill

Security audit

Skillscanner

Security checks across malware telemetry and agentic risk

Overview

This skill only sends a user-provided ClawHub skill URL to a disclosed external scanner API and shows no hidden code, persistence, or destructive behavior.

Before installing, confirm you are comfortable sending ClawHub skill URLs you ask it to scan to Gen Digital's external scanner service. Avoid submitting private or access-controlled skill URLs unless that service is intended to receive them, and treat the scanner's result as one input rather than a complete security guarantee.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest includes broad triggers such as "trust skill," "secure skill," and "is this skill safe," which can match common user requests outside a narrowly scoped context. This can cause the skill to activate unexpectedly and steer users toward relying on an external verdicting API for trust decisions, increasing the chance of misuse or overreach.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.