ClawHub

CodeGraph Index

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent code-analysis helper, but it can trigger broad repository indexing and a global tool install from ordinary project-analysis requests without a clear confirmation step.

Install only if you are comfortable with an agent using tree-sitter to scan broad parts of your codebase and potentially install tree-sitter-cli globally. Prefer using it after an explicit request to build a code index, and review generated .tree-sitter files so derived code structure is not committed or shared accidentally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The activation conditions are broad enough to match many normal developer requests, which can cause this skill to run unexpectedly and trigger workspace-wide parsing, package installation, or other heavyweight actions without clear user intent. In an agent system, ambiguous triggers increase the chance of unsafe or surprising tool use, especially when the workflow includes shell commands and global installs.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The explicit trigger examples are everyday phrases like 'analyze this project' and 'understand code structure', which are common requests that do not imply consent to execute recursive scanning or install tooling. This makes accidental activation likely and can lead to unnecessary execution of shell commands across arbitrary repositories, expanding the attack surface and violating least surprise.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal