ClawHub

Lance

Security checks across malware telemetry and agentic risk

Overview

Lance is a coherent Web3 audit helper with local, user-directed scripts and no evidence of hidden credential use, persistence, exfiltration, or destructive behavior.

Install only if you want an agent to help with authorized Web3 security reviews. Keep target scope explicit, avoid giving it unrelated private repositories or secrets, and review output paths before running the included local scripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill enables implicit invocation with no explicit trigger constraints, exclusions, or approval gates, which increases the chance it will be auto-selected in contexts the user did not clearly intend. Because this is a security-focused Web3 auditing agent, unintended activation can cause over-broad analysis, accidental handling of sensitive code or findings, and misuse in adjacent tasks where its assumptions and behaviors are inappropriate.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill enables implicit invocation without any documented trigger constraints, so it may activate in broader contexts than intended. For a security-auditing agent, this increases the chance of unintended handling of sensitive code, audit artifacts, or user prompts, and can cause the agent to be invoked by ambiguous language outside explicit user intent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The default prompt is generic enough that the skill can be invoked for a wide range of security-review requests without strong scope checks, and the policy explicitly allows implicit invocation. In a security auditing context, broad triggering is risky because it can cause the agent to act on sensitive code, contracts, or bug bounty targets when the user did not clearly and deliberately request this specific high-impact skill.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill enables implicit invocation without any visible trigger constraints, which can cause the agent to auto-activate in broader contexts than intended. Because this skill is a security-audit agent that may influence analysis output and be invoked on sensitive code or reports, ambiguous routing increases the risk of unintended execution, prompt-surface expansion, and misuse in unrelated conversations.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill enables implicit invocation without any visible narrow trigger constraints, so it may activate in response to broad audit- or security-related prompts even when the user did not explicitly request this specific skill. In a security-sensitive Web3 context, unintended activation can cause the agent to apply powerful auditing behavior, triage logic, or workflow assumptions in the wrong context, increasing the risk of prompt hijacking, tool misuse, or scope creep.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill enables implicit invocation without any narrowing conditions, so the platform may auto-select it in loosely related conversations. Because this skill is a high-impact security auditing agent that can influence vulnerability triage and reporting, unintended activation can cause overbroad access to sensitive code, mis-scoped security analysis, or unreviewed tool use in contexts the user did not clearly request.

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
- required market conditions are unlikely
- impact is minor or self-harm-only

## Final Output Rule

Only include findings that pass all gates.
If none pass, output:
Confidence
95% confidence
Finding
Output Rule

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal