ClawHub

Find Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it can steer ordinary help requests into persistent third-party skill installs with confirmation skipped.

Use this skill for discovery only when you explicitly want to look for installable skills. Before installing anything it suggests, review the skill source, publisher, and page; avoid global `-g -y` installs unless you trust the package and understand that it can affect future agent behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description and frontmatter define activation in very broad terms like 'how do I do X' and 'can you do X,' which overlap with a large share of ordinary user requests. This can cause the skill to trigger inappropriately and steer the agent toward searching for and installing external skills when the user did not explicitly ask for discovery or installation, increasing exposure to unnecessary external package recommendations.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The usage section lists many ambiguous triggers without corresponding exclusions, so routine requests about coding, testing, deployment, or design could invoke this skill even when direct assistance would be safer and more appropriate. In a skill whose purpose is to discover installable extensions from external sources, overbroad invocation materially increases the chance of unnecessary supply-chain exposure and user confusion.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill recommends `npx skills add <owner/repo@skill> -g -y`, which performs global installation and suppresses confirmation prompts, but it does not warn users about the trust and persistence implications of installing third-party code-like assets from external sources. This reduces friction around potentially risky installs and could lead to accidental acceptance of unreviewed or malicious skills affecting future agent behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal