ClawHub

Flutter Dev Skill

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Flutter helper skill with broad activation wording but no evidence of hidden execution, data access, or persistence.

Safe to install if you want Flutter/Dart reference help. Expect Chinese-oriented guidance and possible activation on some general mobile UI topics because the trigger list is broad.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger terms are broad enough to match generic discussions of Flutter, Dart, mobile development, and cross-platform topics, which can cause the skill to activate outside the user's intended context. Over-broad activation is dangerous because it can hijack conversations, inject domain-specific guidance when not requested, and reduce user control over which skill is being invoked.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The README is written entirely in Chinese and does not indicate whether the skill can adapt to the user's language or is intentionally restricted to Chinese-speaking users. This can lead to mismatched language behavior, unexpected responses, and reduced transparency for users who invoke the skill in another language.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The trigger list is extremely broad and includes common development terms such as 'Animation', 'Provider', 'BuildContext', and generic mobile-development phrases. This can cause the skill to activate on unrelated requests, creating prompt-routing confusion and increasing the chance that users receive unintended skill-specific instructions instead of the correct assistant behavior.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill description and output-format section constrain responses to Chinese without offering a user-language fallback or documenting a justified restriction. In practice, this can override user intent, degrade usability, and create a routing/policy mismatch where the system responds in an unexpected language, which is especially problematic in technical guidance where precision matters.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal