ClawHub

Skill Dedup Scanner

Security checks across malware telemetry and agentic risk

Overview

This appears to be a skill-auditing helper whose broad triggers may misroute some requests, but the behavior described is coherent with its purpose and no harmful actions are evidenced.

Install this if you want an agent to review or compare your installed skills. Be aware that broad skill-related requests may invoke it, so use explicit wording when you want a scan and review any results before acting on recommendations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrases are broad, generic requests such as "audit my skills" and "find similar skills" that could plausibly match normal user intent outside a narrow administrative context. In an agent/skill ecosystem, this can cause unintended activation, routing confusion, or interception of requests meant for other skills, especially since the skill scans installed skills and may access metadata the user did not explicitly intend to expose in that moment.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrase at this location is broad enough that ordinary user requests to review or inspect skills could unintentionally invoke this skill. In a skill-routing environment, ambiguous triggers can cause misfires, model confusion, and accidental execution of the wrong capability, especially because this skill is designed to scan installed skills and may be selected during general discussion about skills.

Vague Triggers

Medium
Confidence
88% confidence
Finding
This trigger phrase is vague and overlaps with normal conversational questions about whether skills are similar, which raises the chance of unintended activation. Because the skill operates on the installed skill set, accidental routing could expose internal metadata or produce confusing behavior when the user only wanted general advice rather than a scan.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal