ClawHub
Back to skill

Security audit

Skill Zipper

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed tool for restructuring Claude Code skills, with user approval and verification steps before it edits files.

Install only if you want an agent to analyze and potentially rewrite your local skill files. Prefer dry-run mode for important skills, review the proposed plan and diff output before saying apply, and keep a backup or version control snapshot for any skill directory it edits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a mismatch because the declared purpose says the skill compresses an existing skill losslessly, implying it performs or helps perform the transformation. The actual code is diagnostic and auditing code: one script verifies whether a restructure preserved content, and the other measures token usage and flags structural issues. Those behaviors are related to evaluating or planning compression, but they are not the same as actually compressing a skill. The code's primary purpose is analysis/audit, which the description explicitly says it is not ('not audit'). There is no hidden network or unrelated resource access, but the main function materially differs from the declared purpose.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation guidance is broad and loosely scoped: phrases like 'too long,' 'vague rules,' 'fails to trigger,' and 'wants a structure audit' can match many unrelated situations and increase unintended invocation. In a skill system, over-broad triggering can cause the wrong skill to run, leading to inappropriate transformations of user content or unnecessary processing rather than direct code execution compromise.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation language is broad enough that the skill may trigger on ordinary requests about rewriting, shortening, or improving instructions, causing it to load in contexts where the user did not explicitly intend to invoke it. Over-broad triggering can lead to unnecessary file reads, unintended restructuring actions, or interference with other skills and user workflows.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The template instructs authors to use a placeholder trigger, 'Read this when {specific trigger condition}', but does not require concrete, testable constraints or examples of acceptable specificity. In a skill system, vague triggers can cause over-broad or unintended activation of guidance, which can lead to misapplication of instructions, prompt-scope expansion, or accidental invocation in unrelated contexts.

Hidden Instructions

High
Category
Prompt Injection
Content
<!--
  Copy this file to rules/<your-name>.md and fill in the placeholders.
  Strip these HTML comments before committing — they exist to guide the
  author, not the reader.
Confidence
70% confidence
Finding
<!-- Copy this file to rules/<your-name>.md and fill in the placeholders. Strip these HTML comments before committing — they exist to guide the author, not the reader. Naming convention:

Hidden Instructions

High
Category
Prompt Injection
Content
<!--
  Copy this file to SKILL.md when creating a new skill. Strip these HTML
  comments before committing.
Confidence
70% confidence
Finding
<!-- Copy this file to SKILL.md when creating a new skill. Strip these HTML comments before committing. Target sizes: - Frontmatter description: 60-150 tokens - Body: under 150 lines /

Hidden Instructions

High
Category
Prompt Injection
Content
# {skill name}

<!--
  Opening paragraph: 2-3 sentences. What the skill does, the guiding
  principle, and any non-negotiable invariant. The reader has just
  loaded this on a turn that matched the description — anchor them.
Confidence
70% confidence
Finding
<!-- Opening paragraph: 2-3 sentences. What the skill does, the guiding principle, and any non-negotiable invariant. The reader has just loaded this on a turn that matched the description — anch

Self-Modification

High
Category
Rogue Agent
Content
`assets/*`, `references/*`, or `scripts/*` with the content it will
   hold. Do NOT touch SKILL.md yet.

3. **Update SKILL.md last.** Remove content that has been written
   elsewhere; add references to the new files; apply Harden rewrites;
   apply Retrigger description rewrite.
Confidence
85% confidence
Finding
Update SKILL

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
- Features gated by a user choice ("only if exporting to PDF")
- Error handling paths that rarely trigger
- A whole workflow branch that applies to one mode but not another
- Language packs, theme variants, format-specific output rules

For each candidate: name it, estimate token savings per typical
invocation, state the **explicit condition** that gates loading. If the
Confidence
85% confidence
Finding
output rules

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal