ClawHub

短视频爆款工厂

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only short-video content planning skill with disclosed trend/competitor analysis behavior and no evidence of hidden code, exfiltration, persistence, or destructive actions.

Install this if you want a Chinese-language assistant for short-video topic planning and scripting. Before giving it live platform data, account analytics, competitor lists, or credentials/API access, make the scope explicit and avoid letting it perform ongoing monitoring or account-management actions unless you specifically request that behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill's usage section is effectively always-on: it invites the model to automatically scan热点、竞品、生成方案、撰写脚本、追踪数据 without any explicit trigger boundaries, user confirmation gates, or scope checks. Overly broad activation increases the chance the skill will be applied in unintended contexts, causing unrequested autonomous behavior, excessive data gathering assumptions, or policy-unsafe actions to be inferred from vague user input.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill content is written entirely in Chinese and implicitly constrains interaction/output behavior to Chinese without offering user choice or documenting why language restriction is necessary. This can override user preference, reduce transparency, and cause misuse in multilingual environments where the agent should preserve the user's requested language or locale.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal