ClawHub

beginner-tutor

Security checks across malware telemetry and agentic risk

Overview

This is a Markdown-only tutoring skill whose broad teaching behavior is disclosed and aligned with its purpose, with no code execution, credential access, persistence, or hidden data handling found.

Safe to install for general learning and tutorial drafting. For medical, legal, financial, or other high-stakes subjects, ask the agent to keep guidance educational, verify current facts, and avoid professional advice. If the conversation uses multiple languages, specify the tutorial language before requesting the final document.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

High
Confidence
90% confidence
Finding
The trigger guidance is extremely broad and overlaps with ordinary help, explanation, and onboarding requests across many domains. This can cause the skill to activate in situations where a narrower or domain-specific skill would be more appropriate, leading to prompt hijacking of routing logic, reduced principle-of-least-privilege, and accidental application in sensitive domains such as medicine, law, or finance.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Defaulting mixed-language conversations to Chinese without explicit user consent can override user intent and create unsafe misunderstandings, especially if the topic is technical, legal, medical, or operational. While not a classic code-execution issue, it is a policy and usability risk because it may degrade comprehension and cause incorrect reliance on generated guidance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal