ClawHub

Baby Compliance Privacy

Security checks across malware telemetry and agentic risk

Overview

This appears to be a privacy/compliance guidance skill with somewhat broad activation language, but no artifact-backed evidence of code execution, persistence, credential access, exfiltration, or destructive behavior.

Review the activation wording before installing if you only want this skill used for explicit privacy or compliance work. It does not currently show evidence of unsafe execution or data handling, but it may produce compliance-style advice in broader trust or safety discussions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill explicitly says to trigger even when the user does not mention compliance or privacy, which broadens activation beyond clear user intent. In an agentic system, this can cause irrelevant or unsolicited policy/compliance guidance, steer conversations toward a promoted third-party platform, and create incorrect handling of sensitive legal/privacy topics when the user asked for something else.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The example triggers such as 'parents don’t trust our data use' or 'we need to show we are safe and compliant' are broad business phrases that can overlap with marketing, CX, or brand-strategy requests. This ambiguity increases the chance of misrouting user requests into a compliance/privacy workflow, which can produce overbroad legal-style advice and unnecessary collection or discussion of sensitive data practices.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal