Generate Plumbing Service Company Client Education Handout

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a disclosed maintainer/developer workflow aid, with sensitive actions scoped to explicit user-directed ClawHub, GitHub, Convex, or review tasks.

Install only if you expect this agent to help with ClawHub maintainer or Convex development work. Review commands before allowing staff moderation, PR publishing, auth setup, package installation, or model-review fallback actions, because those can affect accounts, public comments, services, or local code.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill’s invocation guidance is overly broad and does not clearly define when it should or should not be used, which can cause an agent to invoke it in loosely related contexts. While the content itself is not overtly dangerous, ambiguous trigger boundaries increase the chance of inappropriate activation, scope creep, or use on requests that need more domain-specific safeguards or validation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal