ClawHub

Rotifer Agent

Security checks across malware telemetry and agentic risk

Overview

This appears to be an agent-building helper with broad activation wording, but no evidence of hidden, destructive, persistent, or credential-seeking behavior was provided or found.

Install this if you want Rotifer-related agent-building guidance. Be aware that its broad trigger wording may cause it to activate for general agent questions, so review the skill’s instructions and prefer explicit Rotifer-specific requests when using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README uses very broad natural-language example triggers such as 'Build an agent' and 'Create a code review agent' without defining tight activation boundaries, exclusions, or required confirmation. In an agent-skill ecosystem, this can cause the skill to activate in unintended contexts and steer workflows toward agent creation or composition actions the user did not explicitly intend, increasing the chance of overreach or unsafe chaining with other capabilities.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest trigger list contains several broad, generic phrases such as "build Agent," "agent create," "agent run," and "Agent architecture" that could match ordinary user requests outside the narrow Rotifer context. This can cause the skill to activate inappropriately and steer users into executing Rotifer-specific workflows or commands when they were asking more generally about agent design, increasing the risk of misrouting and unsafe tool guidance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal