ClawHub

建筑学长AI工作流

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent interior-design automation workflow, but it asks for broad automatic browser, download, file-generation, and daily scheduled activity without clear user control.

Install only if you want a highly automated design assistant. Before running it, require the agent to confirm the project folder, download sources, desktop writes, browser automation, file renaming/packaging, and any scheduled daily task; do not enable the scheduled downloader unless you know how to stop and remove it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation description is broad ('当需要梳理设计方案AI工作流、测试全流程跑通、使用建筑学长AI能力时使用'), which can cause the skill to trigger in loosely related contexts without clear user intent. In a skill that performs file creation, downloads, packaging, and workflow orchestration, ambiguous activation increases the risk of unintended side effects and overbroad execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill promises automatic downloads, folder creation, file generation, renaming, budgeting outputs, PPT generation, and packaging, but it does not provide explicit user-facing warnings or consent gates before modifying local data. This is dangerous because users may invoke the skill expecting planning assistance, while the skill performs persistent filesystem changes and bulk content handling that could overwrite files, create data sprawl, or process sensitive project materials without informed approval.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes automatic downloading of generated website content and even a daily scheduled task, but it does not disclose the extent of network access, background persistence, or ongoing automated behavior. This is risky because persistent or periodic network activity can continue beyond the user's immediate session, potentially downloading unreviewed files, exposing usage patterns, or causing unanticipated resource and privacy impacts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal