ClawHub
Back to skill

Security audit

Pain to MVP

Security checks across malware telemetry and agentic risk

Overview

This skill is a purpose-aligned product research helper that stores findings in a user-configured TiDB database, but users should understand that persistence before using it.

Install this only if you are comfortable configuring a TiDB database for the skill and storing public-source evidence, opportunity analyses, and PRDs there. Avoid confidential product strategy unless you control the database and have your own retention/deletion process.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The package declares TiDB bootstrap and database tooling scripts even though the skill is described as analyzing public discussions and drafting lightweight PRDs. This mismatch expands the skill's capabilities beyond its stated purpose and could enable unexpected data storage, collection, or exfiltration workflows if the related scripts are invoked.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill description is broad enough to match common brainstorming, research, and product-advice requests without clearly signaling that it will perform external search/scraping and persist results to a database. This can cause the agent to invoke the skill in situations where the user expected lightweight advice only, leading to unexpected data collection and tool use.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description does not warn users that the skill may use external search/scraping tools and store collected evidence, opportunities, and PRDs in TiDB. Without disclosure, users may unknowingly trigger collection, third-party transmission, or persistence of sensitive query content or research artifacts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal