ClawHub
Back to skill

Security audit

软件成本评估办法

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate external software cost-estimation dashboard, but it can steer sensitive project and budget details to a third-party site without enough disclosure or user-control safeguards.

Install only if you intentionally want to use the external cost-estimation dashboard. Before entering project plans, pricing, customer details, staffing assumptions, architecture notes, credentials, or regulated business information, review the destination site's operator, privacy terms, retention practices, and approval requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill repeatedly directs users to an external website to continue the workflow, but provides no warning about what data may be sent there, who operates the site, or how privacy and retention are handled. Because this skill is specifically for software cost estimation, users may upload sensitive business plans, budgets, scope details, or internal project information to a third-party service without informed consent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill enables implicit invocation with no trigger constraints, exclusions, or user-confirmation guardrails. This can cause the agent to invoke the cost-dashboard skill opportunistically in unrelated conversations, increasing the risk of unintended data flow to the external workflow or misleading users about when the skill is being used.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.