ClawHub

掌眼小助理

Security checks across malware telemetry and agentic risk

Overview

This skill is a bounded antique-appraisal helper with some broad trigger phrases but no hidden access, persistence, credential use, or unsafe automatic actions.

Use this only for preliminary antiques or collectibles guidance. Be careful with high-value purchases, legal/customs matters, or official authentication needs, and consider narrowing triggers or requiring confirmation for generic phrases like “鉴定” or “能不能买.”

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger examples for artifact_authenticity_check are very broad everyday phrases such as '帮我看看这件东西' and '掌眼一下'. In a voice or chat routing system, these ambiguous utterances can cause accidental invocation and misroute general requests into this specialized skill, which is risky because the skill gives collection and authenticity guidance that users may rely on for purchase decisions.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Other intent examples like '帮我断代', '帮我看看款识', and '能不能买' are also underspecified and could match unrelated conversations outside the antique appraisal context. This increases the chance of unintended activation or incorrect intent selection, leading users to receive specialized recommendations without sufficient context, especially problematic in a skill that discusses authenticity, provenance signals, and collecting decisions.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger list contains broad natural-language phrases such as “鉴定”, “帮我看看这件东西”, and “看看真假”, which can overlap with ordinary user requests and cause unintended invocation of the skill. In a collectibles-assessment context, accidental activation could route users into specialized advice they did not intend to request, increasing confusion, overcollection of context/images, or misuse of the skill outside its intended scope.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal