ClawHub

research-summary

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for turning research reports into Chinese investment summaries, with some broad activation keywords and link-fetching behavior users should understand.

Install this if you want Chinese investment-style summaries of research reports. Be careful with confidential reports or private links, watch for accidental activation from broad keywords, and verify extracted figures and investment judgments before relying on the output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger set includes broad terms like “analyst” and “180k”, which can match ordinary user conversation and cause unintended skill activation. In an agent setting, over-broad routing can expose unrelated user content to this skill’s prompt logic and increase the chance of prompt hijacking or unwanted data processing.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The manifest contains vague single-term triggers without contextual guards, making accidental activation likely. This is dangerous because the skill accepts rich inputs including pasted content, links, and screenshots, so misrouting can lead to unintended handling of sensitive or irrelevant material.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly accepts web links and suggests automatic content fetching, but provides no notice, consent flow, or safety restrictions for retrieving external content. This can lead to server-side request forgery style behavior, retrieval of malicious prompt content, or unexpected transmission of user-supplied URLs to external systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal