Nuwa 女娲
Security checks across malware telemetry and agentic risk
Overview
Nuwa appears to be an instruction-only research skill for creating local “perspective” skills, with disclosed web research, subagents, and file persistence but no evidence of hidden malicious behavior.
Install only from a source you trust, expect it to run broad web research and create local files, and review any generated perspective skill before using it. Treat generated personas as research-based simulations, not as the actual person or authoritative advice.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may perform several parallel web-research tasks and create multiple local files for a single request.
The skill asks the agent to coordinate multiple research agents and save outputs. This is central to the stated purpose, but users should notice the breadth of automated research activity.
Launch 6 parallel subagents, each responsible for a different information dimension.
Use it for deliberate research tasks, and review the research checkpoint/output before accepting the generated skill.
A generated perspective skill could preserve inaccurate, biased, or source-poisoned claims and reuse them in later conversations.
The skill intentionally turns gathered research into persistent files and a reusable SKILL.md. Reused context from public sources can carry errors or biased framing if not reviewed.
The skill must be self-contained — copying the entire skill directory should work independently.
Review generated references and SKILL.md contents before installing or relying on the generated persona skill.
Users may over-trust advice because it is presented as if coming from the named person.
The generated example skills use immersive first-person persona behavior and limit repeated disclaimers. The artifacts do disclose that this is based on public information, but the style can make outputs feel authoritative.
此Skill激活后,直接以Naval的身份回应。 ... 免责声明仅首次激活时说一次 ... 不跳出角色做meta分析
Treat persona outputs as interpretive simulations, especially for investment, health, legal, or other consequential decisions.
Users have less registry-level provenance information to confirm the skill’s origin.
The registry provenance is incomplete, although the supplied package is instruction-only and contains no executable code files.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the repository/source you install from and inspect generated files before enabling them as reusable skills.