Back to skill

Security audit

Churn Prevention

Security checks across malware telemetry and agentic risk

Overview

This is a narrow engineering guidance skill for Convex data-retention work, with no executable code or hidden data access.

Installers should treat this as an internal ClawHub development skill for Convex retention changes. It can guide work touching database cleanup and auth/session retention, so use it only in the intended repository context and review any generated cleanup or migration code before running it against production data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description is unusually broad and includes many generic phrases such as 'customers are leaving' and 'how do I keep users,' which can cause the skill to activate during general business, support, or strategy conversations that are not specifically about churn operations. Over-broad invocation increases the chance of inappropriate routing, causing the agent to inject retention-oriented guidance where it is not wanted and potentially steering user workflows or analyses off-task.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The eval explicitly rewards the skill for triggering on casual phrasing like 'what should we show users when they click the cancel button,' which broadens activation beyond tightly scoped churn-intent queries. Over-broad routing can cause the skill to intercept adjacent requests and apply retention playbooks in contexts where they may be inapplicable or manipulative, increasing the chance of misfires and policy-unsafe guidance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.