ClawHub

Debug Companion

Security checks across malware telemetry and agentic risk

Overview

This is a coherent debugging helper, but users should redact sensitive details before pasting errors because the skill is designed to analyze logs and may use web lookup tools.

Install only if you are comfortable using a web-assisted debugging helper. Before sharing logs, redact API keys, tokens, passwords, internal URLs, hostnames, customer data, private paths, and proprietary code; prefer sending the smallest error excerpt needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill is triggered by users submitting error messages or tracebacks in ordinary conversation, and the README encourages direct pasting without clear scoping. In agent environments, broad triggers can cause accidental activation on unrelated chats containing logs or errors, increasing unintended processing of sensitive debugging data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly asks users to paste complete tracebacks, code snippets, and context, but does not warn that these often contain secrets, internal paths, API keys, tokens, database names, customer data, or proprietary source code. This omission can lead users to disclose sensitive information to the agent unnecessarily, creating a realistic privacy and data-handling risk.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list includes broad everyday phrases such as '出了个bug' and '这个错误怎么修', plus direct pasting of traceback text, which can cause the skill to activate unintentionally in normal conversation. Over-broad activation is dangerous because it may hijack unrelated user requests, invoke external search/fetch tools unnecessarily, and expose pasted stack traces or code context to additional processing paths.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill sends or prepares to send raw error details into an external search query, which can expose sensitive information embedded in stack traces such as file paths, internal service names, tokens, query fragments, usernames, or proprietary code identifiers. In a debugging skill, this is more dangerous because users are likely to paste real production errors, increasing the chance of unintended data exfiltration to third-party services.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal