ClawHub
Back to skill

Security audit

Appkittie

Security checks across malware telemetry and agentic risk

Overview

This is a coherent App Store research skill package that uses AppKittie data and a local marketing context file, with no artifact-backed evidence of hidden or destructive behavior.

Install only if you are comfortable using AppKittie's hosted MCP/API and storing app marketing details locally. Use a dedicated API key, verify the GitHub or npx source before installing, and avoid putting unrelated secrets, customer data, or confidential financial details into app-marketing-context.md.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description contains broad activation phrases such as "set up my app," "my app details," and "before running any other skill for the first time," which can cause the skill to trigger in situations where the user did not explicitly intend to create a shared context file. Because this skill collects and persists cross-skill business information, unintended activation increases the chance of unnecessary data collection and propagation into later workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to create a shared `app-marketing-context.md` file containing potentially sensitive commercial data, including revenue, downloads, competitors, ad budget, and strategic goals, but provides no warning that this information will be stored and reused by other skills. In this context, the shared-document design makes the issue more dangerous because the data is intentionally propagated across multiple downstream skills, increasing exposure and the likelihood of over-collection or unintended reuse.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger description is broad enough to activate on common comparison-oriented requests, which can cause this skill to be invoked outside its intended scope. Over-broad routing can expose users to irrelevant or more sensitive competitive-intelligence behavior, increasing the chance of unintended data access, misleading guidance, or prompt-scope confusion across adjacent skills.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal