ClawHub

Turborepo

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Turborepo guidance skill with no executable payload or hidden behavior, though users should handle CI secrets and remote cache settings carefully.

Safe to install as Turborepo guidance. Review any generated package.json, turbo.json, and CI changes before applying them; keep tokens least-privileged; avoid passing secrets globally where task-level scoping works; and only enable remote caching with trusted providers/endpoints and non-sensitive outputs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The frontmatter description uses broad trigger phrases like 'create a workflow', 'make a task', and 'generate a pipeline', which can match many unrelated user requests and cause this skill to be loaded outside a Turborepo-specific context. Over-broad activation increases the chance the agent applies monorepo build guidance inappropriately, leading to incorrect file edits or configuration changes in unrelated projects.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly recommends passing secrets such as AWS_SECRET_KEY and GITHUB_TOKEN through task environments while also discussing remote caching configuration, but it does not warn that tasks may log, misuse, or package sensitive values into cacheable outputs. In a build-system context, this can lead to credential exposure through CI logs, child processes, or remotely shared cache artifacts if users misunderstand the trust boundaries.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal