ClawHub

Halo Cli Content

Security checks across malware telemetry and agentic risk

Overview

This skill is a Halo CMS command guide that can change or delete site content, but that behavior is disclosed and matches its content-management purpose.

Use this skill only when you intend the agent to manage Halo site content. Before publishing, deleting, or importing with --force, verify the active Halo profile, inspect the target resource, and export a backup when content loss would matter.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill includes destructive examples such as category/tag deletion with `--force` but does not explicitly warn that these actions are irreversible and can remove live content or metadata without confirmation. In an automation-oriented CLI skill, users may copy commands directly, increasing the chance of accidental destructive execution.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The post import examples use `--force` for JSON and Markdown imports without clearly stating that existing content may be overwritten. Because this skill is designed for terminal workflows and automation, the missing warning makes accidental replacement of published or in-progress content more likely.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The single-page import example shows `--force` without warning that an existing page may be replaced. Since single pages often correspond to important site pages such as About or landing pages, accidental overwrite can cause visible site disruption or content loss.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal