ClawHub

Skylv Market Pain Finder

Security checks across malware telemetry and agentic risk

Overview

This skill performs disclosed market research tasks using web search and local report generation, with no evidence of hidden access, exfiltration, persistence, or destructive behavior.

Install this if you want a market-research assistant that searches external sources and writes local Markdown outputs. Invoke it deliberately, confirm the research topic and output path, and ask for your preferred report language if Chinese is not desired.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases in the description are very broad (e.g. market research, pain point analysis, product validation), so the skill may activate for many ordinary business requests where the user did not specifically intend to invoke this skill. Overbroad activation can cause unintended external searching, file creation, and workflow hijacking, especially in multi-skill environments where more specific or safer skills should handle the request.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The skill content is written to enforce Chinese-language behavior without offering a user language preference or fallback. This can cause instruction-priority conflicts and unexpected output language, reducing usability and potentially causing misunderstanding of generated reports or summaries.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger words are generic market-research phrases and are not scoped to a specific product, workflow, or explicit user confirmation step. This increases the chance of unintended invocation, which is more concerning here because the skill can perform web searches and write files, potentially causing unwanted external queries and artifact generation.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal