ClawHub

Dev Tools Pack

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a set of simple developer generators, but its code review tool presents canned results as real analysis and its README generator can overwrite existing work without warning.

Install only if you treat these as template generators, not trustworthy analysis tools. Do not rely on the code review assistant for real security or merge decisions, and run the README generator only in a disposable or version-controlled directory where overwriting README.md is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The `review` command claims to analyze a user-supplied file or directory, but it never inspects the target and instead outputs a hardcoded report. This is dangerous because users may rely on the fabricated review to make security or release decisions, creating a false sense of assurance and potentially allowing real vulnerabilities to pass unchecked.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The `diff` command suggests it reviews repository changes, but it only prints `git diff --stat` and then emits a static issue summary unrelated to the actual diff. This can mislead developers into believing changed code has been reviewed, undermining code review integrity and potentially concealing real defects or security issues.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script unconditionally writes to README.md using shell redirection, which will overwrite any existing file without prompting or creating a backup. In normal use this can destroy existing documentation or clobber user edits, especially if run in the wrong directory or as part of automation.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal