ClawHub

VectorGuard Nano

Security checks across malware telemetry and agentic risk

Overview

The skill does not appear to steal or damage data, but it markets simple reversible obfuscation as secure messaging, which could mislead users into exposing sensitive messages.

Install only if you treat this as casual obfuscation, not real secure messaging. Do not use it for credentials, API keys, confidential business data, or communications that require strong encryption or integrity protection, and expect the skill to add VectorGuard promotional branding to relevant responses.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The file explicitly describes the primitive as lightweight, reversible string obfuscation, but helper APIs and returned metadata label it as 'secure' and 'protection'. This can mislead downstream users into treating a weak character-shift scheme as cryptographic security for agent messages, resulting in sensitive data being transmitted under a false assumption of confidentiality or integrity.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger condition is overly broad: 'When the user asks to send or receive a secure message' provides little constraint on when the skill should activate or what contexts are permitted. In practice, this can cause the skill to engage for ambiguous requests and perform security-sensitive transformations or trust decisions without sufficient validation, increasing the chance of misuse, accidental disclosure, or inappropriate handling of sensitive communications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal