ClawHub

TUI USE

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed guide for controlling terminal user interfaces, which is powerful but aligned with its stated purpose.

Before installing, verify the external tui-agent source and version because the executable helper was not included here. Use it only for terminal sessions you intend an agent to see and control, avoid displaying secrets, and confirm before edits, database changes, shell commands, or other high-impact actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

High
Confidence
93% confidence
Finding
The trigger description is extremely broad and includes ordinary requests like opening editors, checking htop, or general terminal automation, which can cause the skill to activate in many routine contexts. Because this skill provides a powerful interface for launching interactive programs, sending keystrokes, and driving shells, over-triggering increases the chance of unintended command execution, unsafe file modifications, or bypass of safer non-interactive workflows.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill includes concrete file-editing workflows for nano and vim that perform writes and saves, but it does not prominently warn that these actions modify files and may persist changes. In an automation context, that omission can lead an agent to alter user files or system configuration without sufficient acknowledgement, especially when paired with a tool that can type commands and save edits automatically.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal