ClawHub

Windows文件管理器

Security checks across malware telemetry and agentic risk

Overview

This file-management skill is purpose-aligned, but it gives an agent broad file deletion and batch-change abilities without reliable safeguards.

Install only if you are comfortable letting the agent manage local files. Before any delete, move, rename, overwrite, or batch operation, require it to list the exact affected paths, confirm the intended folder scope, and keep backups or use a recycle-bin workflow where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill claims its safety mechanisms are complete, but destructive operations like delete, move, and batch delete do not call any safety gate before executing. This creates a misleading trust signal: users or downstream agents may assume protections exist when the code can still perform irreversible filesystem actions on arbitrary paths.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The documented '安全操作' section only defines helper functions and a blacklist, but none of the exposed file-management commands invoke them. As a result, the presence of a safety section may falsely reassure operators while leaving all dangerous operations fully unrestricted.

Missing User Warnings

High
Confidence
93% confidence
Finding
The skill advertises deletion of files and folders, including recursive folder deletion, without making clear that these actions are destructive, irreversible, and should require confirmation. In the context of a file-management skill with broad filesystem access, this increases the risk of accidental or unsafe data loss.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal