Back to skill

Security audit

Spec Plan Build Review

Security checks across malware telemetry and agentic risk

Overview

This is a transparent instruction-only workflow for planning, building, testing, reviewing, and shipping software work.

Install this if you want an agent workflow for structured software delivery. Before using the ship steps, make sure you actually want commits, pushes, releases, or ClawHub/GitHub publication, and keep sensitive code or secrets out of any optional subagent review unless those agents are trusted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The invocation description says to use the skill when the user asks to "spec, plan, build, test, review, ship, release" or to "coordinate a multi-step coding task," which are very broad phrases in normal software conversations. The file does not provide exclusion conditions or negative examples to clarify when this skill should not activate, increasing the risk of unintended invocation.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
---
name: spec-plan-build-review
description: "Run a proportional delivery lifecycle for software or skill work: clarify scope, create a concise plan, implement, verify, review, and ship. Use when the user asks to spec, plan, build, test, review, ship, release, prepare a PR, prepare ClawHub or GitHub publication, or coordinate a multi-step coding task that should not skip verification."
---

# Spec Plan Build Review
Confidence
85% confidence
Finding
skip verification

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.