ClawHub

Secure Code Guardian

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only secure-coding guide with no executable code, hidden access, persistence, or data collection.

Safe to install as a secure-coding reference. Generated authentication, authorization, encryption, and session-handling code should still be reviewed and tested before production use, and users may want narrower triggers if they find the skill activates too often.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Vague Triggers

Medium
Confidence
94% confidence
Finding
This markdown skill manifest defines generic triggers such as "security," "password," and "vulnerability" without narrowing context or exclusions. Because these terms appear in many ordinary development discussions, the skill may activate when the user is not specifically asking for this specialist skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description says to use the skill for implementing authentication/authorization, securing input, and preventing OWASP Top 10 vulnerabilities, then adds a broad invocation list. It does not define when a general coding request should use this skill versus a general-purpose developer skill, nor does it provide negative examples.

Unvalidated Output Injection

High
Category
Output Handling
Content
function HtmlContent({ html }: { html: string }) {
  return (
    <div
      dangerouslySetInnerHTML={{
        __html: DOMPurify.sanitize(html)
      }}
    />
Confidence
65% confidence
Finding
dangerouslySetInnerHTML={

Self-Modification

High
Category
Rogue Agent
Content
- Expose sensitive data in logs or errors
- Use weak encryption algorithms
- Hardcode secrets in code
- Disable security features for convenience

## Output Templates
Confidence
90% confidence
Finding
Disable security feature

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal