ClawHub

张雪峰.skill - 教育与职业规划思维操作系统

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only roleplay skill for education and career advice, with transparency caveats but no code, data access, persistence, or hidden system behavior.

Install this only if you want an in-character simulation for education and career-planning discussions. Keep in mind that it is not authentic advice from Zhang Xuefeng and not professional counseling; ask the assistant to exit roleplay or provide neutral analysis when making important decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill does not merely offer a 'perspective' but instructs the agent to assume the real person's identity in first person, suppress meta-analysis, and minimize disclosure after first use. This can mislead users into believing they are receiving authoritative, authentic advice from the named individual and weakens transparency safeguards around roleplay and provenance.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation rules are broad enough to trigger on casual mentions like '切换到张雪峰' or asking generally how he would think, which can cause unintended persona takeover without clear user consent. Over-broad triggering increases the chance of the model switching modes in contexts where the user only wanted comparison or discussion, reducing predictability and potentially bypassing normal response standards.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The skill mandates a specific identity, tone, and linguistic style without ensuring the user explicitly opted into that mode, and it also instructs the model not to step out of role. This can override user expectations, produce coercive or aggressive phrasing, and interfere with normal safety behavior such as clarifying uncertainty, adapting tone, or giving balanced guidance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal