ClawHub

Professional Communication

Security checks across malware telemetry and agentic risk

Overview

This is a professional writing helper made of markdown templates, with no code execution or hidden data access, though its meeting-recording advice needs normal workplace privacy caution.

Safe to install as a writing aid. Review generated messages before sending, and treat any meeting-recording advice as conditional: get required consent, follow company policy and local law, restrict sharing, and avoid recording sensitive discussions unless explicitly approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest description uses very broad trigger terms like email, message, and status update, which can cause the skill to activate for many routine conversations outside a narrowly defined scope. Over-broad routing increases the chance the agent applies this skill in unintended contexts, leading to prompt hijacking of task selection, irrelevant guidance, or interference with more appropriate skills.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The usage guidance says to use the skill for "Any written communication to teammates, managers, or stakeholders," which is an effectively unconstrained activation condition. In agent systems, such broad applicability can overshadow other specialized skills and cause misrouting, making the system easier to manipulate or less reliable in selecting the safest and most relevant skill.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guidance recommends recording meetings without warning readers to obtain consent, follow company policy, or consider legal/privacy requirements. In remote communication guidance, this omission can lead users to record sensitive discussions by default, creating privacy, compliance, and data-retention risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section repeats and reinforces a norm of recording important sync meetings, but still omits privacy, consent, and data-handling safeguards. Because it appears in prescriptive team guidance, readers may adopt blanket recording practices that expose personal data, confidential business information, or regulated content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal