ClawHub

Debug Probe

Security checks across malware telemetry and agentic risk

Overview

This is a useful debugging workflow, but it needs review because it can cause automatic source-code instrumentation and diagnostic log export without enough safeguards for consent or sensitive data.

Review before installing, especially globally. Use it on a clean branch and in development or staging, require confirmation before adding instrumentation or deploying, avoid logging secrets or personal data, inspect any exported logs before sharing them, and verify all DIAG-marked code and dump hooks are removed after debugging.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README describes inserting instrumentation into source code during debugging but does not clearly warn users that the skill may modify files. That omission can lead to unexpected code changes, accidental commits of debug probes, or alteration of sensitive code paths without informed user consent, which is especially risky for an automatically triggered debugging skill.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list is overly broad and includes generic terms like 'debug', 'bug', 'broken', 'not working', and 'investigate', which can cause the skill to activate in many routine contexts where the user did not intend runtime instrumentation. In this skill, unintended activation is more dangerous because the workflow explicitly directs adding diagnostic logging and exporting logs, increasing the chance of unnecessary code changes and inadvertent exposure of sensitive runtime data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to insert logging, collect runtime output, and have the user export logs, but it provides no warning about secrets, personal data, tokens, or system-sensitive values being captured in those logs. In the context of a debugging skill, this omission is significant because instrumentation often touches authentication, state, requests, and error paths where sensitive data commonly appears, making accidental disclosure plausible.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The template explicitly encourages diagnostic logging of values such as `userId` and `tokenExp`, and other examples across the file print buffered diagnostic data to console or expose dump functions. In practice, debugging helpers like this often end up capturing identifiers, auth metadata, or other sensitive runtime context, and the file does not provide strong privacy guidance, redaction requirements, or access controls for dump/export paths.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal