ClawHub

Brainstorming

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only brainstorming skill that enforces a design-first workflow, with disclosed local repository review and a narrow design-document commit step.

Install this only if you want the agent to pause creative or coding requests for structured design discussion first. Expect it to inspect project context and, after approving a design, create a docs/plans design document and a local git commit; tell the agent upfront if you want chat-only brainstorming or no commits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The manifest description says the skill 'MUST use this before any creative work' and includes broad categories like creating features, building components, adding functionality, or modifying behavior. That can cause the agent to invoke this skill for a very large portion of normal development requests, effectively hijacking workflow and forcing unnecessary project inspection and planning steps before acting.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The checklist instructs the agent to 'Write design doc' and 'commit' it, but does not require explicit user consent or any warning that files and git history will be modified. In practice, this can lead to repository changes being made as part of what appears to be a conversational brainstorming step, violating user expectations and enabling unintended persistent modifications.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation section directly instructs writing to docs/plans and committing the design document to git without any user-facing notice or consent check. Because this skill is framed as mandatory and broadly applicable, these hidden side effects become more dangerous: simply invoking brainstorming could result in persistent repository and history changes the user did not ask for.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal