ClawHub

Vibe Coding Workflow

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only coding workflow skill with broad activation wording but no hidden code, credential access, network behavior, or unsafe persistence.

Install this if you want a structured, checkpoint-heavy coding workflow. Expect the agent to ask planning questions and later modify project files when you reach code generation; review diffs before running or committing changes. Because the activation text is broad, bypass or disable the skill when you want quick, unstructured coding help.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad enough to match common software-help requests, which can cause the skill to activate when the user did not explicitly ask for this workflow. In an agent environment, overly broad activation can steer conversations into a predefined process, override more suitable skills, and create unintended behavior through prompt-routing ambiguity.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The phase-entry examples map common statements like having a bug or messy code directly into specific workflow phases without clear disambiguation criteria. This ambiguity increases the chance of incorrect routing and unintended takeover by the skill, especially because these are routine requests that many unrelated coding or debugging skills could also match.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill's activation text uses very broad trigger phrases like 'help me build a project step by step', 'asks how to start a new feature or project with AI', and generic debugging/refactoring requests, which can cause it to activate for many ordinary software-assistance conversations. Overbroad activation increases the chance this workflow overrides more appropriate specialized skills or inserts a rigid multi-phase process into unrelated contexts, creating prompt-routing and scope-control risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal