ClawHub

Agent Quality Tester

Security checks across malware telemetry and agentic risk

Overview

This is a local agent-evaluation helper that reads user-chosen samples and produces heuristic scores, with no evidence of network transfer, credential use, persistence, or destructive behavior.

Install only if you are comfortable using a local Node.js helper on agent logs or output files. Avoid passing full private conversation histories or sensitive files unless needed, and treat the resulting score as a rough heuristic rather than a rigorous safety or quality certification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases and example invocation are generic enough to match ordinary user requests about evaluating agents, which can cause the skill to activate unintentionally. This creates a prompt-routing and scope-control problem: users may disclose conversation history or receive tool-driven evaluation behavior when they only intended a normal discussion, increasing the chance of privacy leakage or inappropriate handling of sensitive context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly invites evaluation of conversation history without warning that prior messages may contain sensitive personal, confidential, or regulated data. If users or downstream systems pass full histories into the evaluator by default, the skill could process more data than necessary, leading to unnecessary exposure, retention, or secondary use of sensitive content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal