ClawHub

Cheatsheet Generator

Security checks across malware telemetry and agentic risk

Overview

This is a local Markdown cheat-sheet generator with broad triggers, but the reviewed code only renders bundled text templates and does not access credentials, network services, or files automatically.

Install this only if you want OpenClaw to run a local Node-based cheat-sheet renderer for quick-reference requests. Be aware that generic phrases like “manual” or “configuration guide” may trigger it unexpectedly, and review any generated command examples or file-save redirections before using them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README advertises very broad and ambiguous trigger phrases, including examples that do not clearly map to the stated trigger conditions and even unrelated phrases like 'OpenClaw 技能开发指南'. In an agent skill system, overly broad natural-language triggers can cause accidental invocation, routing confusion, or inappropriate handling of requests outside the skill’s intended scope, especially when the skill claims support for 'any domain' and file export.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The regex triggers are broad enough to match many unrelated user requests, such as generic references to manuals, configuration guides, or anything containing '速查' or '手册'. In an agent system, this can cause unintended invocation of an exec-based skill, leading to prompt hijacking of routing, surprising behavior, and possible downstream risk if the invoked script processes arbitrary extracted arguments unsafely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal