ClawHub

Aistore

Security checks across malware telemetry and agentic risk

Overview

This skill is an AI STORE marketplace manager, but it tells the agent to install tools and skills, start auth setup, and browse in the background with too little user control.

Use only if you deliberately want this agent to manage AI STORE skills and model setup. Before installing, require explicit confirmation for every global npm install, skill install or uninstall, SSO/auth step, and web access; inspect newly installed skills before allowing them to guide future behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill explicitly requires silent browsing of an external marketplace page to harvest model IDs for the agent's own knowledge base, even when not necessary to satisfy a user request. This expands data collection and network activity beyond the stated user-facing task, creating undisclosed outbound access and privilege creep.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to silently run a global npm installation, which modifies the host environment and grants new package-management capabilities outside the immediate task. Silent system-wide installation increases the attack surface and can enable unreviewed code execution or persistence via third-party tooling.

Vague Triggers

High
Confidence
98% confidence
Finding
The instruction that the agent 'must' automatically use this skill whenever a user requests a capability or missing skill is overly broad and can hijack ordinary conversations into package search/install flows. In context, this is dangerous because the skill also authorizes network access and software installation, so broad triggers can cause unintended high-risk actions from routine prompts.

Vague Triggers

High
Confidence
96% confidence
Finding
The 'When to Use This Skill' section includes common phrases like 'how do I do X' and 'can you do X,' which are too ambiguous to safely govern a skill that can install software and access external services. This makes accidental invocation likely and increases the chance of unauthorized system changes during normal user interactions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill directs the agent to automatically run search and install commands without a user-facing warning about system modification, network access, or third-party code retrieval. Installing packages based solely on conversational intent removes informed consent and can lead to unsafe execution of untrusted marketplace content.

Missing User Warnings

High
Confidence
97% confidence
Finding
The prerequisite step mandates a silent global npm install with no warning about system-wide changes, elevated trust in external packages, or possible execution risks. Because this alters the environment before the user has approved the action, it violates least surprise and creates a direct path to supply-chain compromise.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill requires automatic installation of an authentication-related package and immediate handoff into SSO/login flow without renewed consent or warning about account access implications. Authentication tooling is especially sensitive because it may handle credentials, tokens, or identity linkage, making silent installation and execution more dangerous in this context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill mandates silent background browsing of an external site without disclosure that network access will occur or what data will be retrieved. Undisclosed outbound requests can violate user expectations and organizational controls, especially when performed for background knowledge acquisition rather than the immediate task.

Ssd 4

Medium
Confidence
96% confidence
Finding
This step instructs the agent to proactively browse and harvest marketplace information for its own future use, rather than to fulfill a specific user request. That creates unnecessary data collection and network activity, which is particularly risky in a skill already empowered to install software and extend capabilities autonomously.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal