ClawHub

全能竞品情报官

Security checks across malware telemetry and agentic risk

Overview

This competitor-intelligence skill is mostly coherent, but it asks the agent to run broad multi-platform scraping and continuous monitoring with too little scoping or compliance guidance.

Review before installing. Use this only for lawful, public, user-authorized competitive research, and explicitly limit the target platforms, date range, monitoring frequency, report destinations, retention, and stop conditions before asking an agent to run it. Avoid collecting personal data or bypassing platform rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill defines open-ended execution behavior after a user provides a monitoring target, including full-platform scanning, historical collection, continuous monitoring, alerting, and automatic reporting, without clear trigger boundaries or consent checkpoints. This can cause the agent to over-collect data, take persistent actions the user may not have explicitly authorized, and expand scope beyond a narrowly requested task.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill promotes broad multi-platform scraping, frequent collection, sentiment monitoring, supplier tracking, and continuous surveillance, but does not present a clear warning about privacy implications, platform terms-of-service, rate limits, or operational impact. In context, this is more dangerous because the skill is explicitly designed for persistent competitive intelligence gathering across many services, increasing the risk of unauthorized collection, policy violations, and unintended handling of personal or sensitive business data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal