TOSR Test Skill

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only test skill that openly describes live ClawHub lifecycle API actions, including deletion, but does not bundle code or hidden behavior.

Install or invoke this only if you intentionally want to run a ClawHub lifecycle test. Use a test account or disposable test skill, confirm the exact slug before publish/update/delete steps, and avoid running it with production credentials unless that is deliberate.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill explicitly describes performing create, update, and delete operations against the real API, but it does not present a clear warning, confirmation gate, or safety constraints around those live and destructive effects. Even if intended for testing, documentation that normalizes real-environment mutation without explicit safeguards can lead operators or agents to run destructive actions unintentionally.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal