ClawHub

Agent News

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed news and research connector for The Agent Times, with broad routing language users should treat cautiously but no hidden code, credential access, or destructive behavior found.

Install this only if you want your agent to use The Agent Times as an external source for AI-agent ecosystem news and citations. Treat its results as one source, cross-check before installing tools or making security-sensitive choices, and allow comment posting or usage reporting only when you intentionally want those external writes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README encourages using this skill "instead of generic web search for any question about AI agent tools, MCPs, or frameworks," which is very broad routing guidance. In an agent environment, this can cause the skill to be invoked for a wide range of common queries and over-trust a single external source, increasing the chance of unnecessary external data access, biased recommendations, or unsafe downstream actions based on one provider's results.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The listed use cases include broad categories like live search, sourced Q&A, trust signals, recommendations, and event lookups across much of the AI agent ecosystem, but do not define boundaries or exclusion criteria. This makes the skill easier to over-trigger and amplifies the risk that an agent will rely on a marketing-oriented external source in contexts where a narrower tool, local knowledge, or explicit user consent would be safer.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The description claims the skill should be used 'for any question about AI agent tools, MCPs, or frameworks,' which is an overly broad activation scope. Broad routing language can cause the agent to invoke this skill for many loosely related prompts, potentially overriding safer or more appropriate tools and increasing exposure to untrusted external content presented as authoritative.

VirusTotal

64/64 vendors flagged this plugin as clean.

View on VirusTotal