ClawHub

Greeting Skill

Security checks across malware telemetry and agentic risk

Overview

This is a simple greeting skill that matches its stated purpose and does not access private data or system resources.

Install only if you are comfortable with a skill that may respond to casual greetings like "hi" or "hello". Security review found no evidence of credential use, data access, persistence, network calls, shell execution, or destructive behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The README advertises broad triggers such as "greet", "hello", "hi", and time-of-day phrases, which overlap heavily with normal conversation. In an agent framework, this can cause the skill to activate unintentionally during ordinary user dialogue, creating prompt-routing ambiguity and allowing the skill to intercept requests not meant for it.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list contains extremely common conversational phrases like "hello," "hi," and time-of-day greetings, which can cause the skill to activate during normal user interaction rather than only when explicitly intended. In an agent environment, this increases the chance of unintended invocation, routing conflicts with other skills, and user input being handled by the wrong capability.

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
93% confidence
Finding
The trigger 'hello' is extremely generic and is likely to activate the skill in many unrelated conversations, causing unintended invocation. While this is not a direct code-execution or data-exfiltration issue, it can degrade routing integrity and create opportunities for prompt/skill hijacking or user confusion in multi-skill environments.

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
95% confidence
Finding
The trigger 'hi' is even broader than 'hello' and is commonly used in ordinary conversation, making accidental activation highly likely. In a shared agent environment, this can cause unintended skill selection, noisy behavior, and potential interference with more appropriate skills.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal