ClawHub

sample skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed, instruction-only USDC hackathon guide with expected credential and posting workflows for Moltbook, GitPad, and testnet projects.

Safe to install as hackathon documentation, but review any Moltbook post or vote before sending it, protect the Moltbook API key and ~/.gitpad_password file, use only testnet wallets and tokens, and note that the listed February 2026 submission and voting deadlines have already passed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description uses very broad activation language ('Use when participating in the USDC Hackathon, submitting projects, or voting'), which can cause the skill to trigger in many loosely related contexts. In a workflow that includes credentials, external posting, and voting actions, over-broad invocation increases the chance an agent applies the skill when the user did not intend to perform hackathon-related network actions.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The track description says agents should build and submit a skill, but it does not narrowly define when this skill content should be invoked versus treated as passive contest documentation. In agentic systems, broad activation wording can cause the skill to trigger in loosely related contexts such as any hackathon, submission, voting, or USDC discussion, which may lead the agent to follow embedded workflow instructions, perform unnecessary verification/fetching, or interfere with unrelated tasks.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal