ClawHub

Kobe

Security checks across malware telemetry and agentic risk

Overview

This appears to be a low-risk Kobe Bryant informational skill with broad trigger wording that may cause unwanted activation but no evidence of privileged, destructive, or data-sensitive behavior.

This is reasonable to install if you want Kobe Bryant context available to the agent. Be aware it may trigger on vague basketball or jersey-number references, so consider tightening the activation criteria if unwanted context injection becomes annoying.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation scope is unnecessarily broad because it triggers on users merely implying Kobe-related topics, which can cause the skill to activate in conversations where the user did not explicitly intend to invoke it. In a prompt-based system, overbroad routing can lead to irrelevant context injection, response hijacking, or unexpected behavior, though the content here is informational rather than directly harmful.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill activates on vague phrases like 'mentions or implies' and 'related topics', which can cause it to trigger outside clearly intended Kobe-specific requests. Over-broad activation can hijack unrelated conversations, reduce system reliability, and surface irrelevant or misleading content when numeric references like '#8' or '#24' appear in other contexts.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest description repeats broad trigger language that encourages unintended activation at the routing layer. Because this is a general sports-knowledge skill rather than a privileged or system-integrated capability, the main risk is misrouting and prompt interference rather than direct security compromise, but it is still a real quality and safety issue.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal