Back to skill

Security audit

Newsletter Creation & Curation

Security checks across malware telemetry and agentic risk

Overview

This is a newsletter strategy guide with broad auto-activation metadata, but it contains no code, hidden automation, credential use, or data access.

Safe to install as a newsletter guidance resource. Be aware it may be invoked broadly because of always:true, and independently review any suggested publishing, compliance, advertising, platform-spend, or public-posting advice before acting in real accounts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

High
Confidence
98% confidence
Finding
The manifest sets `metadata.clawdbot.always=true`, which can cause this skill to be loaded or considered active without a narrow user-triggered scope. That increases the chance the agent injects newsletter-specific guidance into unrelated tasks, creating prompt-surface expansion and unintended influence over downstream decisions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.