ClawHub

智能制造与工业4.0

Security checks across malware telemetry and agentic risk

Overview

This is a manufacturing-analysis skill whose requested capabilities match its stated use, with no evidence of hidden execution, persistence, credential use, or data exfiltration.

Install only if you intend to analyze manufacturing operations data. Avoid uploading trade secrets, customer-identifying records, plant-security details, regulated operational records, or full ERP/MES exports unless you are authorized and have minimized or redacted the data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation section uses very broad triggers such as '优化 [生产订单数据] 的排程方案' and '分析 [设备运行参数] 是否需要提前维护' without defining clear activation boundaries, required inputs, or exclusion conditions. In an agent environment, this can cause over-triggering on loosely related user requests and may lead the skill to process sensitive manufacturing, production, or image data when the user did not intend to invoke this specialized workflow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill is designed to handle factory production data, BOMs, maintenance telemetry, and product images, but it provides no warning that these inputs may contain sensitive operational, proprietary, or safety-relevant information. This increases the risk that users will submit confidential plant data or regulated industrial information without minimization, redaction, or approval, which is especially concerning given the skill's file_system, image_analysis, and structured_data capabilities.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal