ClawHub

Debug Master

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only debugging skill with no hidden execution, persistence, credential access, or install-time behavior shown.

Safe to install as a debugging reference. Review any suggested debug or test command before allowing an agent to run it, especially in projects where tests or scripts can modify data, call external services, or touch production credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list is broad and includes generic phrases like '帮我看看', 'debug', and '为什么不行', which can match many ordinary user requests outside a narrowly scoped debugging workflow. This can cause the skill to activate unintentionally, overriding user intent or injecting debugging-oriented behavior into unrelated conversations.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The manifest description embeds trigger wording directly in a broad promotional sentence without defining when the skill should or should not activate. This increases ambiguity for routing systems and can lead to over-selection of the skill for common support or coding requests that are not actually asking for debugging assistance.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The manifest description is written entirely in Chinese and frames the skill presentation in that language without any indication that language should follow user preference. In multilingual environments, this can degrade usability, confuse users, or cause the skill to respond in an unexpected language when invoked.

VirusTotal

38/38 vendors flagged this skill as clean.

View on VirusTotal