ClawHub

Worldly Wisdom

Security checks across malware telemetry and agentic risk

Overview

This is a coherent decision-analysis skill with optional local calculators and no evidence of credential access, persistence, exfiltration, or destructive behavior.

Install this if you want broad strategy and decision questions handled with a structured decision-analysis style. Expect it to activate on phrases like "what am I missing" or "think this through," and review any JSON input or output path before allowing the optional Python scripts to run. For legal, medical, financial, or market-sensitive topics, use it as a framework for tradeoffs and questions, not as professional advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to read local reference files, assets, and create JSON inputs for bundled scripts, which implies file read/write capability, yet no permissions are explicitly declared. That creates a transparency and policy-enforcement gap: a host may expose filesystem access implicitly or handle the skill inconsistently, increasing the chance of unintended local file access beyond what users expect.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description contains broad phrases like 'what am I missing' and 'think this through' that are common in ordinary conversation, so the skill may activate when the user did not intend a heavyweight decision-analysis mode. Unintended activation can override more appropriate skills, pull in extra file/script behaviors, or steer benign chats into structured workflows that expose context or consume unnecessary resources.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger examples include generic phrases such as 'Should I do this or not?' and 'Think this through with me,' which are too broad to safely distinguish this skill from normal assistant behavior. In a multi-skill environment, this raises the risk of accidental routing, causing the agent to apply decision frameworks, ask unnecessary clarifying questions, or access bundled resources unexpectedly.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The compact trigger list is especially prone to collisions because it consists of short, natural phrases likely to appear in everyday chats. That makes unintended activation more likely at routing time, and because this skill can direct file usage and optional script execution, the consequence is more than cosmetic misclassification.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal