Back to skill

Security audit

Skill Analytics

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed ClawHub analytics helper that fetches public stats and keeps a small local state folder for recommendations.

Install only if you are comfortable with the skill using public web lookups and maintaining a persistent memory/skill-analytics/ folder. You can review or clear that folder if recommendations become stale, and treat the optional full-suite install command as a separate choice rather than part of this skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest uses broad activation cues such as adoption strategy and growth advice, which can cause the skill to trigger in conversations outside narrow skill-performance analysis. Because this skill reads and writes persistent local state, over-broad activation increases the chance of unintended file operations and web requests in contexts where the user did not explicitly ask for analytics.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to create and update persistent files under memory/skill-analytics but does not clearly disclose this side effect to the user at activation time. Hidden persistence can surprise users, create unwanted retention of interaction-derived data, and cause the agent to modify local state during routine analytics queries.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.