ClawHub Installer

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward helper for finding and installing ClawHub skills, with installation generally requiring user confirmation.

Before installing a recommended skill, check the exact slug, version, publisher, and what permissions or behaviors that skill adds. Avoid broad update commands unless you intentionally want to update installed skills.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The activation criteria are broad enough to trigger on generic requests to find or install capabilities, which can cause the agent to pivot into package/skill discovery and installation without strong scoping. In a skill that directly recommends and installs third-party skills, over-broad activation increases the chance of unnecessary or unsafe supply-chain actions being initiated from casual user phrasing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal