ClawHub

Zh Semantic Enhancer

Security checks across malware telemetry and agentic risk

Overview

The skill does Chinese text analysis, but it also includes under-scoped monetization and self-modifying revenue code that users should review before installing.

Install only if you are comfortable with a skill that includes billing-related code, local trial/credit records under ~/.openclaw, and an executable revenue optimization helper that can rewrite installed skill files if run. Avoid running scripts/revenue_optimize.py unless you intentionally want those modifications and can review or roll them back.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill stores per-user trial accounting under ~/.openclaw/skill_trial using unsafeguarded local JSON files. Even though the data is limited, writing user-linked usage state to disk outside the core text-analysis purpose creates privacy and integrity risks, especially on shared systems or when other local processes can read or tamper with those files.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The batch_process method imports and calls the broader on_user_input handler for each item instead of limiting execution to the premium feature logic defined in this module. This creates a capability boundary violation: callers expecting narrow batch sentiment/industry processing may unintentionally trigger unrelated routing, side effects, plugin/tool execution, or privileged behavior exposed by the main input handler.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The module presents itself as a semantic-enhancement component, but its actual behavior is to rewrite another skill to inject monetization, pricing, and marketing features. This deceptive mismatch increases the chance of unauthorized execution and review bypass, especially because the script targets a fixed skill path and performs direct modifications.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The script unilaterally adds billing, subscription-like tiers, credits, and enterprise features to a different skill even though that functionality is unrelated to the apparent semantic-processing purpose. In this context, that is dangerous because it silently alters product behavior and can introduce unauthorized commercial logic, user charging pathways, and trust violations.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The added credit system stores per-user balances and purchase history under the user's home directory without any access controls, integrity protection, or privacy safeguards. This creates unauthorized account-like state, exposes potentially sensitive purchase metadata, and enables tampering or abuse if local files are modified.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
User trial data is written locally without any disclosure, consent, or visible privacy notice in this file. Silent persistence of user identifiers and usage history can violate user expectations and privacy requirements, and the opaque local file can also be modified to bypass limits or misattribute usage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes new modules into another skill's directory without confirmation, dry-run output, or warning to the operator. Silent cross-file modification is risky because it can unexpectedly change runtime behavior, evade normal review, and make rollback difficult if the injected code is unwanted or harmful.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Updating SKILL.md and version metadata in place without notice can misrepresent the skill's capabilities and provenance, especially when paired with code changes that add monetization. This is dangerous because documentation and version changes can legitimize unauthorized modifications and obscure what was actually changed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal