ClawHub

skill-router

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it tries to make itself an always-on router for every question and may load extra skills or expose local skill metadata more broadly than users expect.

Install only if you intentionally want a global skill router that can influence every response. Review the generated SKILL.md before use, avoid sharing it if your installed skills are sensitive, and consider narrowing the router so it only activates for clear matches and does not append detailed usage reports by default.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill references a local generation workflow (`scripts/generate.py`) that implies filesystem read/write behavior, but no permissions are declared. Undeclared capabilities reduce transparency and can bypass operator expectations about what the skill may access or modify, especially if the skill is later paired with automation that executes maintenance instructions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is presented as a mandatory runtime router for every user request, but the described behavior also includes offline filesystem scanning, YAML parsing, and Markdown generation. This mismatch is dangerous because reviewers and agents may trust the declared purpose while overlooking broader behavior that can enumerate local resources and modify repository content.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The README instructs users to consult this router first for effectively any question, which creates an always-on interception pattern without clear boundaries for when the skill should or should not engage. In a skill-routing context, overly broad invocation increases the chance of unnecessary skill loading, instruction conflicts, and inadvertent exposure of user context to unrelated downstream skills.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The README says the generator scans the local ~/.claude/skills directory and reads each skill's metadata, but it does not clearly disclose what data is accessed, how it is used, or what may be written into generated output. While this is local-only behavior, insufficient notice can lead users to expose private internal skill names, descriptions, or organizational metadata without realizing it.

Natural-Language Policy Violations

Low
Confidence
88% confidence
Finding
Mandating a usage report at the end of every answer overrides normal user-controlled response formatting and may cause the assistant to append content even when the user requests otherwise. In practice this can create privacy, compliance, and prompt-integrity issues because metadata about tool or skill selection is disclosed by default rather than on demand.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README explicitly states that the generator scans the user's local ~/.claude/skills directory and reads each skill's name and description, but it does not disclose privacy implications or recommend consent before indexing potentially sensitive locally installed skills. In a router skill whose purpose is to inventory all installed capabilities, this increases risk because skill metadata may reveal internal tools, security capabilities, proprietary workflows, or regulated-use plugins.

Vague Triggers

High
Confidence
97% confidence
Finding
The instruction to consult this skill before answering any question creates a universal interception point for all prompts. Overly broad routing increases attack surface by forcing unnecessary skill loading, enabling privilege creep, and making it easier for a compromised or low-quality router to influence unrelated tasks.

Vague Triggers

High
Confidence
95% confidence
Finding
The mandatory consultation directive lacks scope constraints, exception handling, and safety boundaries. In practice, this can override normal least-privilege behavior and cause the router to be treated as authoritative for every interaction, even when routing is irrelevant or risky.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The guidance to match on broad keywords, load all possible skills, and 'when in doubt, load one more' encourages systematic over-triggering. That behavior can expose more context than needed, pull in irrelevant or conflicting instructions, and increase the chance that a malicious or unsafe skill is unnecessarily activated.

Ssd 3

Medium
Confidence
91% confidence
Finding
Always-on usage reporting can disclose internal reasoning-adjacent metadata about what skills were considered or used for each request, which may reveal sensitive aspects of the user's query or workflow. In shared chats, logs, or copied responses, this creates a persistent side channel that leaks context beyond the substantive answer.

Ssd 3

Medium
Confidence
95% confidence
Finding
The example usage report includes human-readable reasons such as 'User mentioned Go concurrency,' which directly echoes attributes derived from the prompt and can leak user-supplied context into the response footer. This is especially risky for sensitive topics, because the reporting channel may restate confidential details even when the main answer is sanitized or broadly shareable.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal