ClawHub

游戏攻略大师

Security checks across malware telemetry and agentic risk

Overview

This gaming helper is not malicious, but it asks for broad game-account syncing and automatic hardware inspection without clearly explaining consent, data scope, or retention.

Install only if you are comfortable with a broad gaming assistant potentially using game-library, achievement, playtime, review, and hardware information. Before connecting any account or allowing hardware checks, ask it to use a manual/no-login mode where possible, confirm exactly what data it will read, and avoid providing tokens or credentials unless the workflow clearly explains scope and deletion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description is extremely broad, spanning recommendations, walkthroughs, esports analysis, mod management, hardware inspection, and account-linked syncing across many platforms. Overly broad invocation criteria can cause the agent to activate this skill in contexts involving sensitive account, device, or behavioral data without clear user intent or appropriate safeguards.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises linking Steam/Epic/PSN/Xbox libraries and analyzing playtime, achievements, and reviews, but provides no warning about what account data would be accessed, stored, or transmitted. This creates privacy and consent risk because users may not realize the skill could process detailed gaming history and platform-linked account information.

Missing User Warnings

Low
Confidence
90% confidence
Finding
Automatic hardware detection implies inspection of local system information, but the skill does not warn users that device characteristics may be collected or analyzed. Even if limited to compatibility checks, silent collection of hardware details can expose fingerprinting and privacy concerns.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Describing instant synchronization with the Steam API without any warning about account access, API credentials, or synchronization scope is a real security and privacy issue. Users may unknowingly authorize access to achievement and gameplay metadata, and the absence of consent and retention details increases the risk of over-collection or misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal