ClawHub

TurboQuant+ KV Cache Compression

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only local LLM tuning skill, with a notable caution around one admin-level macOS GPU memory command.

Install only if you intend to use the referenced TurboQuant llama.cpp fork. Verify the GitHub repository and preferably pin a trusted commit or release before building. Do not run the sudo sysctl command unless you understand it changes a local macOS GPU memory setting and have a rollback plan, such as restoring the prior value or rebooting if applicable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill includes a privileged `sudo sysctl iogpu.wired_limit_mb=117964` command that changes a system-wide GPU memory limit. Although related to enabling larger-context local inference on Apple Silicon, it introduces a privileged tuning step without sufficient safety framing, validation guidance, rollback instructions, or discussion of possible system stability and memory-pressure side effects.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The markdown instructs users to run a privileged system-setting command but does not warn about persistence, reversibility, or potential consequences such as memory contention, degraded system responsiveness, or instability. In this skill's context, the command is adjacent to legitimate performance guidance, which makes users more likely to copy-paste it without understanding the operational risk.

VirusTotal

42/42 vendors flagged this skill as clean.

View on VirusTotal