ClawHub

技能创建指南

Security checks across malware telemetry and agentic risk

Overview

This is a simple ClawHub skill-creation guide with no code execution, installs, persistence, credentials, or data access.

Installation appears low risk. Be aware that the broad Chinese activation phrases may cause the guide to appear in general conversations about skill templates or publishing, and any shown publish command should be run only when you intentionally want to publish a skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation phrase "发布技能" is too general and may match normal discussion about publishing a skill rather than an explicit request to invoke this specific guide. Such collisions can cause unintentional skill activation and may influence user workflows by injecting publishing instructions at the wrong time.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation phrase "发布技能" is too general and may match normal discussion about publishing a skill rather than an explicit request to invoke this specific guide. Such collisions can cause unintentional skill activation and may influence user workflows by injecting publishing instructions at the wrong time.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation phrase "发布技能" is too general and may match normal discussion about publishing a skill rather than an explicit request to invoke this specific guide. Such collisions can cause unintentional skill activation and may influence user workflows by injecting publishing instructions at the wrong time.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal