ClawHub

Skylv Cross Platform Bot Builder

Security checks across malware telemetry and agentic risk

Overview

This is a coherent documentation-only bot-building skill, with expected credential and deployment risks users should manage carefully.

Install only if you intend to build or deploy bots. Verify the external npm package before running npx, pin versions where possible, keep bot tokens and app secrets in environment variables or a secret manager, do not commit .env files, secure webhook validation, and stop deployments or revoke credentials when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger section auto-activates on very common terms like 'bot', 'telegram', 'wechat', and 'discord', which creates a real risk of unintended invocation in unrelated conversations. Because this skill includes bot creation, deployment, and webhook configuration guidance, accidental activation could lead users into external-network or credential-handling workflows without clear intent.

Vague Triggers

Low
Confidence
77% confidence
Finding
The manifest trigger 'cross platform bot builder' is somewhat broad and lacks constraints on when the skill should be invoked. While less risky than the auto-trigger list, ambiguous invocation phrases can still cause misrouting or unexpected activation in ordinary bot-development discussions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill describes deployment across external platforms using secrets such as bot tokens, app secrets, and webhook endpoints, but it does not include explicit warnings about network actions, secret exposure, or safe credential handling. In a skill that encourages multi-platform deployment, this omission increases the chance that users paste sensitive tokens into unsafe contexts or trigger outbound integrations without understanding the risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal