ClawHub

Vibe Coding Skill

Security checks across malware telemetry and agentic risk

Overview

This is a procedural spec-first coding workflow skill with no evidence of hidden credential use, exfiltration, destructive behavior, or unrelated persistence.

Install if you want a structured spec-first coding workflow. Before using it, be aware that it may create and update specs/ files, guide the assistant through multiple phases, run normal project verification steps, and potentially encourage commits as part of the workflow; use it when you explicitly want that structure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README advertises auto-triggering on broad natural-language phrases such as asking to follow a 'structured workflow step by step,' which can match ordinary development requests unrelated to this specific skill. In an agent environment, overly broad activation conditions can cause the skill to engage unexpectedly, steering conversations and project actions without clear user intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill instructs automatic activation when common keywords such as 'vibe', '氛围编程', '规范工作流', or phase numbers appear, without requiring clear confirmation that the user wants this skill. This can cause unintended activation, steer conversations into a rigid workflow, and let benign mentions of those terms alter assistant behavior unexpectedly. In this context, the danger is moderate rather than severe because the skill is procedural and not directly granting code execution or data access, but it still creates prompt-routing and scope-control risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal