ClawHub

Ai绘画 Ddcd9b

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable AI image tutorial/reference skill with broad activation wording, but no hidden code, data access, persistence, or harmful actions were found.

Install only if you want a lightweight Chinese AI-image tutorial reference sourced from video titles and links. Expect promotional or unverified tutorial claims, and consider narrowing the triggers if accidental activation would be annoying.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger scenarios include broad phrases like users saying "AI绘画" or generally needing related help, which are likely to match ordinary conversation and activate the skill unintentionally. Overbroad activation increases the chance that the agent invokes this skill in unrelated contexts, exposing users to low-quality or policy-bypassing guidance gathered from unvetted video sources.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The manifest trigger field uses generic keywords such as "AI绘画" and "ComfyUI," which are common topic terms rather than precise activation phrases. This can cause accidental routing to the skill whenever a user discusses those subjects, giving this skill disproportionate activation surface compared with its specificity and trust level.

Vague Triggers

Medium
Confidence
90% confidence
Finding
This nested trigger section repeats a broad help-style activation pattern, including general requests for related help, without clear scoping or user confirmation. Repeated ambiguous activators across merged content increase the probability of unintended invocation and make routing behavior harder to reason about safely.

Vague Triggers

High
Confidence
98% confidence
Finding
Using "免费" as a trigger is extremely broad and likely to collide with everyday speech in many unrelated user requests. Because this skill also references "无敏感提示词" and unvetted AI-generation tooling, accidental activation could route users toward content that bypasses safeguards or promotes uncontrolled tool usage far outside intended contexts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal