ClawHub

Vue Expert

Security checks across malware telemetry and agentic risk

Overview

This is a normal Vue development guidance skill, though some copyable examples should be reviewed before use in production apps.

Safe to install as a Vue guidance skill. Before using generated or copied code in production, review authentication/session handling, avoid persisting bearer tokens in localStorage or sessionStorage when possible, use safe SSR state serialization, and run npm/npx setup commands only in the intended project.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list contains short, generic terms like 'reactive' and 'ref' that commonly appear in ordinary Vue and JavaScript discussions. This can cause the skill to auto-invoke in contexts broader than intended, increasing the chance that its prescriptive instructions override user preference or route the agent into an unnecessarily narrow implementation path.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The custom SSR example injects `JSON.stringify(initialState)` directly into a `<script>` tag, which can expose sensitive server-side data to any user viewing page source and can enable script-breaking/XSS if serialized data contains characters like `</script>`. In a Vue/Nuxt reference skill, readers may copy this pattern into real applications, making the unsafe serialization pattern materially risky.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The login example transmits credentials and then assigns the raw response directly to application state without showing basic security checks, and the surrounding documentation provides no warning about safe credential handling. In a developer reference skill, examples are likely to be copied verbatim, so omission of guidance can normalize insecure authentication patterns and increase the chance that secrets or session material are mishandled.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The persistence example explicitly stores an authentication token in browser-managed storage, which makes the token accessible to any JavaScript running in the page, including code injected via XSS or compromised dependencies. Because this is instructional content for frontend developers, the example is especially risky: it can directly propagate a common but dangerous pattern into real applications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal