ClawHub

Startup Guide

Security checks across malware telemetry and agentic risk

Overview

This startup guidance skill is coherent, but it tells agents to run shell commands with user-supplied business or industry values without safe argument handling.

Review before installing. Use it only if you are comfortable with startup-related queries being routed to linked legal, tax, government-program, search, and company-info tools. Agents should not build shell command strings from raw user input; industry names, law names, and business registration numbers should be passed through safer structured tool calls or carefully escaped argument arrays.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list contains very broad terms such as "창업," "허가," "신고," and "법인," which can appear in many unrelated conversations and cause the skill to activate unexpectedly. Because this skill can route into legal, tax, licensing, and support-program guidance, accidental invocation increases the chance of irrelevant or misleading business guidance being surfaced without clear user intent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger set includes broad, natural-language phrases such as "뭐부터 해?" that can match ordinary conversation without a clear startup context. This can cause unintended routing into the skill, leading to incorrect assistance, privacy-relevant data collection prompts, or invocation of linked skills and external data sources when the user did not intend to use this domain.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The beginner aliases are highly generic words like "쉽게", "기초", and "모르겠어", which are common across many unrelated conversations. In this skill, those aliases increase the chance of accidental activation or forced beginner-mode responses in contexts unrelated to business setup, especially because the skill also routes to external services and regulatory guidance.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal