ClawHub

Idea Spark

Security checks across malware telemetry and agentic risk

Overview

This skill is an idea-generation helper that clearly discloses web research and an optional local validation command, with no hidden persistence, credential access, or destructive behavior found.

Install this if you want web-backed project ideas. Be aware it may search the web for your requested domain, and if mcporter plus idea-check/idea-reality are installed it may run a local validation command; review that separate validation tool before enabling automatic checks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill goes beyond passive idea generation by instructing the agent to invoke a local `exec` command to run `mcporter`, and then to 'proceed with development' on follow-up. That creates a capability escalation path from content generation into local command execution and downstream tool invocation, which is especially risky because the command is built from idea text and the skill description does not constrain execution with explicit trust boundaries or confirmation requirements.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README advertises very broad trigger phrases such as 'Give me project ideas' and 'What should I build', which are common everyday requests that can overlap with many unrelated assistant behaviors. In a skill-routing system, this increases the chance the skill is invoked too often or in the wrong contexts, potentially causing unintended web searches, noisy suggestions, or interference with more appropriate skills.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases are very broad (`what should I build`, `give me ideas`, `project suggestions`) and overlap with common conversational requests, increasing the chance this skill activates when the user did not intend web research or validation behavior. In context, unintended invocation is more dangerous because this skill can perform external searches and may later route into command execution guidance.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises idea generation but does not disclose that it will perform external web searches and may invoke local command execution for validation. This lack of transparency undermines informed consent and can surprise users with network access or host-side actions they did not authorize, which is more serious given the skill's broad invocation language.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal