ClawHub
Back to skill

Security audit

Poster Generation

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent poster-generation helper, with the main caution that it may create output files and has a broad trigger phrase.

Install only if you want an agent to generate poster files. Ask the agent to confirm the output path before saving, avoid overwriting existing files, and treat the "meta-skill-system" trigger as overbroad rather than harmful.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list is very broad and includes generic poster-related terms plus the unusual token "meta-skill-system," which can cause the skill to activate in many ordinary conversations without clear user intent. Over-broad activation increases the chance that the agent will enter this skill unexpectedly and follow its file-output workflow or internal instructions in contexts where the user did not explicitly request that behavior.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill instructs the agent to save generated content as files and later says to report file location and opening method, but it does not require user confirmation, safe output paths, non-overwrite behavior, or disclosure of side effects before writing. In an agent environment with filesystem access, this can lead to unintended file creation, overwriting existing content, or surprising persistence of generated artifacts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly instructs determining a save path and writing files, but it does not require user confirmation, path restrictions, or safety checks before creating or modifying files. In an agent setting, this can enable unintended filesystem writes, overwriting user data, or placing generated content in unsafe locations if downstream execution follows the specification literally.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal