ClawHub

B

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only educational skill about the letter B, with no code, data access, persistence, or privileged behavior.

Safe to install as a lightweight reference skill. Expect it may activate too broadly for incidental uses of the letter B, so users who prefer precise routing may want narrower trigger wording, but there is no evidence of malicious behavior or sensitive access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill is described as activating whenever a user 'mentions or implies' topics related to the letter B, which is a very broad condition for a generic concept that appears in many unrelated contexts. This can cause unintended invocation, response hijacking, or over-application of the skill in conversations where 'B' appears incidentally, reducing routing precision and potentially interfering with safer or more relevant skills.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The listed triggers include broad domains like science, music, grading, and alphabet history, where references to 'B' are common but may not indicate that the user wants this skill. Such ambiguity increases the chance of accidental activation on ordinary discussions, which can lead to irrelevant answers, context capture, and suppression of more appropriate handling.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The activation criteria are excessively broad because they trigger on any mention or implication of the letter "B" and many loosely related domains such as science, music, grading, and encoding. In an agent environment, this can cause frequent unintended invocation, prompt shadowing, or routing interference with more appropriate skills, increasing the chance of irrelevant or policy-bypassing behavior through accidental activation.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest description says the skill activates when a user "mentions or implies topics related to the letter B," which is an ambiguous invocation rule. That ambiguity can make the skill overmatch ordinary conversation and compete with unrelated skills, creating reliability and security issues through unintended prompt injection surface expansion.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal