Ai Intelligent Asset Management

Security checks across malware telemetry and agentic risk

Overview

The inspected skill artifacts are coherent development and maintainer helpers with disclosed powerful commands and no evidence of hidden exfiltration or destructive behavior.

Install only if you want ClawHub/Convex development automation. Review commands before running workflows that can change moderation state, publish PR proof, install packages, send diffs to reviewer CLIs, or run nested Codex with full local access; use the documented opt-outs where you need stricter containment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill description and feature list are broad, but they do not define when the skill should activate, what user intents it is allowed to handle, or what boundaries apply to asset-management actions. In an agent setting, this can cause overbroad invocation or authority creep, increasing the chance the skill is selected for requests outside its intended scope and exposing sensitive IT asset or license data unnecessarily.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal