ClawHub
Back to skill

Security audit

Park Skill

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-and-configuration skill for answering park operations questions, with no executable code or hidden privileged behavior found.

Safe to install as an informational park operations assistant. Before using it with real operational data, limit who can access tenant, tax, financing, occupancy, and complaint information; confirm any future export implementation asks before writing files and avoids overwrites; and verify the marketplace capability tags do not grant crypto or purchase permissions beyond what these files describe.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill defines very broad trigger phrases such as generic park-related queries, which can overlap with normal conversation and cause unintended activation. This is primarily a safety and control issue: accidental invocation may expose internal park data, perform actions the user did not intend, or confuse routing in a larger agent environment.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill advertises export to Excel, PDF, and PPT without describing where files are written, whether existing files may be overwritten, or what data may be included. In an agent system, undocumented file-generation behavior can lead to unintended persistence of sensitive business data, overwriting user files, or unsafe assumptions about output destinations.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.