ClawHub

Imanju App Dev Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent modular app-development guide with visible local scaffolding and lock-record scripts, but users should review any file changes before running them.

Install this only if you want a modular app-development workflow with local helper scripts. Run scripts from the intended project directory, use simple module names, and review generated folders, .locks files, symlinks, and any cleanup or refactoring changes in version control before accepting them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger keywords are very broad app-development terms, so the skill may activate for ordinary software-engineering requests unrelated to this specific workflow. Overbroad activation increases the chance that file-writing or lock-related behaviors are surfaced unexpectedly in benign conversations.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation guidance lists many broad development scenarios but does not define when the skill should not be used, especially when destructive or stateful tooling may be involved. In context, this makes accidental invocation more dangerous because the skill mixes process advice with scripts that can alter local project files.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill promotes user behavior collection, profile building, and cross-module data sharing but does not include privacy, minimization, retention, consent, or access-control safeguards. In an app-development skill, this omission can normalize insecure handling of personal data and lead downstream implementations to over-collect or improperly share sensitive user information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guidance says to automatically remove code that is invalid or inconsistent with confirmed functionality, but it provides no safeguards such as review, backup, diff inspection, or rollback. This is dangerous because automated deletion can destroy valid code, introduce supply-chain style tampering opportunities, or mask unauthorized changes under the label of cleanup.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal