ClawHub

Scenario First Thinking

Security checks across malware telemetry and agentic risk

Overview

This is mostly a thinking-framework skill, but it includes under-scoped handoffs to external workflow/memory systems and an approval-bypass instruction in crisis mode.

Review before installing. Use it as a reasoning aid, but do not let it bypass confirmations for external actions, publishing, file/account changes, or irreversible steps. Only enable any Memory_Bus or layout/render integration if you know what data will be sent, where it is stored, and how to inspect or delete it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill claims it is fully self-contained and does not require external files, but later sections route outputs into external components and pipelines such as render flows, Layout_Editor, and Memory_Bus. This mismatch can cause the agent or user to trust the skill's execution boundary incorrectly, leading to hidden dependencies, unintended actions, or bypass of expected review points.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The manifest presents the skill as a scenario-routing and thinking aid, but the body expands into operational workflow behavior such as publishing, rendering, layout input preparation, memory bus writes, and skipping approvals in crisis mode. This scope expansion is risky because users or orchestrators may grant the skill broader authority than intended based on an understated manifest description.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The activation condition states the skill should trigger for 'any task requiring thinking and decision-making,' which is so broad that it can match nearly all user requests. In an agent environment, this creates routing overreach: the skill may intercept unrelated or sensitive tasks, influence downstream tool selection, and increase the chance of inappropriate execution or policy bypass through unintended activation.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger phrases are extremely broad, covering common conversational terms like learning, writing, urgency, ideas, prioritization, and strategy. Such loose matching can cause accidental activation in ordinary dialogue, leading the skill to steer behavior, invoke downstream tooling, or alter workflows when the user did not intend to use this skill.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Defaulting ambiguous inputs to scenario 4 means the skill activates even when routing confidence is low, making the activation boundary unclear. In this skill's context, that is more dangerous because scenario routing is tied to action sequences and downstream workflow integration, so ambiguity can still produce operational effects.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing triggers rely on very broad everyday terms such as '要不要' and '该不该', which can match many ordinary user requests that are not actually asking for this scenario. In an agent skill that auto-routes to tool sequences, ambiguous activation increases the chance of unintended invocation, misclassification, and execution of an inappropriate reasoning workflow.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Phrases like '怎么办' and '能不能' are highly generic and appear in many benign requests across different contexts, so they do not define reliable activation boundaries. Because this skill is designed as a central routing entrypoint, vague triggers can cause frequent over-triggering or scenario conflicts, leading the agent to apply the wrong tools under time-sensitive or exploratory contexts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal