ClawHub

数据分析 6450d8

Security checks across malware telemetry and agentic risk

Overview

This is a passive data-analysis learning guide with broad and duplicated triggers, but it does not request sensitive access or perform actions on the user’s system.

Install only if you want a lightweight Chinese-language data-analysis study guide. Be aware it may activate on broad phrases like “数据分析” or “2026最新版,” so users who prefer precise skill routing may want the publisher to deduplicate the file and narrow the trigger terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The top-level trigger uses broad phrases like '数据分析' and other generic learning terms that are likely to overlap with ordinary user requests. This can cause the skill to activate unintentionally and inject unrelated instructions or content into conversations, increasing prompt-surface and policy-bypass risk even though the skill is only a guide.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The trigger scenarios say the skill should activate when a user says very common phrases or generally needs data-analysis help, which is too ambiguous for safe routing. In an agent environment, that can make this skill intercept broad classes of benign queries and influence outputs without clear user intent.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The repeated merged section preserves vague trigger phrases and duplicates activation logic, compounding the chance of accidental invocation. Duplication also makes review harder and increases the risk that one overly broad trigger remains after partial edits.

Vague Triggers

Low
Confidence
91% confidence
Finding
This repeated trigger block again uses ambiguous conditions, but its impact is somewhat lower because it appears to duplicate earlier unsafe routing rather than introduce a new capability. Still, repeated broad conditions enlarge the attack surface for unintentional skill selection and prompt interference.

Vague Triggers

Low
Confidence
90% confidence
Finding
The final merged trigger block still lacks specific invocation constraints, so the file ends with unresolved ambiguous routing behavior. While the content is educational rather than overtly malicious, broad activation in a skill system is dangerous because it can hijack normal requests and surface unintended instructions or low-quality guidance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal