ClawHub

Superpowers Dev Workflow

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only coding workflow skill whose powerful actions are disclosed and tied to software-development tasks.

Install this if you want a strict coding workflow that may run tests, create commits, spawn subagents, and help merge or open PRs. Review generated plans, commands, diffs, branch names, and PR text before execution, and do not put secrets or private credentials into plan files or subagent prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description uses broad trigger phrases like 'let's build', 'help me plan', and 'this is broken', which overlap with many normal user requests. In an agent system, this can cause unintended activation of a powerful workflow that requires exec and sessions_spawn, increasing the chance of unnecessary code execution, context switching, or unsafe delegation.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The Phase 1 trigger 'User wants to build something' is underspecified and does not clearly limit activation to appropriate repositories, coding tasks, or explicit user consent for the full workflow. Because this skill enforces a mandatory multi-phase process, ambiguous activation can override simpler and safer handling paths and lead to unnecessary planning, file writes, commits, or subagent use.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The debugging trigger covers 'Bug, test failure, unexpected behaviour — any technical issue,' which is broad enough to capture nearly any problem report. In the context of a skill that can drive investigation and execution workflows, this can lead to over-activation on vague complaints, causing unnecessary tooling use and potentially risky automated actions before the user clearly requests that level of intervention.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal