ClawHub

视频调色 705d12

Security checks across malware telemetry and agentic risk

Overview

This appears to be a low-risk video color-grading guide, but it is messy and may give unreliable or off-topic answers.

Install only if you are comfortable with a noisy, auto-merged guide. It should not be treated as a carefully curated color-grading reference until the publisher removes unrelated sofa/hash sections, deduplicates repeated blocks, and narrows triggers to specific Pocket3 or Nikon workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill is supposed to teach video color grading, but merged content includes unrelated sofa-product material and opaque hash-like strings from deleted or unrelated accounts. This content drift can cause the agent to activate on irrelevant prompts and return low-integrity or misleading guidance, indicating unsafe skill composition and poor provenance control.

Vague Triggers

Medium
Confidence
85% confidence
Finding
A broad trigger such as serving any user who 'needs video color-grading help' can cause this noisy, merged skill to activate for many generic requests beyond its validated scope. Because the file contains off-topic and low-integrity merged content, overbroad routing increases the chance of inappropriate or misleading responses.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The merged subsection uses a generic help trigger for a poorly defined skill built from deleted-account and hash-like content. This can route unrelated user requests into low-quality or nonsensical instructions, making the activation logic unsafe from an integrity perspective.

Vague Triggers

Medium
Confidence
84% confidence
Finding
This trigger is overly broad for a merged skill section whose content is largely opaque and not self-descriptive. If activated, the agent may surface irrelevant or fabricated guidance, so the danger comes from unsafe routing combined with corrupted skill content.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger examples in this repeated merged section are broad enough to match generic requests, but the underlying content here is at least related to Nikon color-grading workflows. That makes it less dangerous than the clearly off-topic merged fragments, though still prone to misrouting and user confusion.

Vague Triggers

Medium
Confidence
79% confidence
Finding
This repeated merged section again uses generic activation conditions for content that is narrower than the trigger implies. Broad matching can make the agent answer outside the exact supported workflow, reducing response integrity and increasing confusion.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The final repeated trigger remains broader than the actual content and appears in a duplicated auto-merged section, which compounds routing ambiguity. While not a direct exploit vector, it can repeatedly misapply this skill to generic requests and degrade trust in the system's answers.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal