ClawHub

Vibe Coding Best Practices v3.0

Security checks across malware telemetry and agentic risk

Overview

This is a coherent AI coding workflow guide, but it includes under-safeguarded Git recovery and automation snippets that can discard, auto-commit, or auto-push project changes.

Install only if you want an agent to use it as coding-process guidance. Before letting an agent apply snippets from it, require explicit approval for any git reset, checkout rollback, hook creation, auto-commit timer, or git push, and make a backup branch or stash first. Avoid putting secrets or private user data into DESIGN, HANDOFF, LOG, status, or memory/task files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list contains very broad terms such as "AI 开发", "多 agent", and "新项目启动", which can cause the skill to activate in many ordinary development conversations outside the user's intended scope. Over-broad auto-invocation is risky because it can inject extensive procedural guidance into unrelated contexts and steer user workflows unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The recovery guidance recommends destructive Git commands like `git reset --hard <stable>` without an explicit warning that uncommitted work will be permanently discarded. In an agent skill, users may follow such commands verbatim during stressful debugging, making accidental data loss substantially more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section explicitly recommends `git reset --hard <stable-commit>` during emergency recovery without a prominent warning that the command irreversibly discards uncommitted local changes. In an agent skill context, that is dangerous because an automated agent may follow the instruction literally and destroy user work while attempting recovery.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document presents `git reset --hard HEAD~1` as a normal safety-net workflow but does not clearly warn that it permanently removes uncommitted modifications and rewrites the working tree. Because this skill is operational guidance for agents handling failures, the omission increases the chance that an agent will execute destructive rollback commands automatically.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal