ClawHub

Huahua Spirits

Security checks across malware telemetry and agentic risk

Overview

This is a local companion skill with passive chatter and small local state storage, not a data-stealing or destructive package.

Install only if you want an ambient companion that may appear without an explicit command. For sensitive or shared environments, use a pseudonymous seed instead of a real platform ID, review or clear assets/companion.json periodically, and disable or remove hook-react logging if message snippets should not be retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The hookReact path silently persists user-provided text snippets to companion.json without clear notice or consent. Even though it truncates to 50 characters and only records on positive-keyword matches, this is still undisclosed retention of user content, which can capture sensitive or identifying information and violates user expectations for a companion feature.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This companion skill includes a hidden behavior that monitors input for positive keywords and records matched user text to disk. In the context of a virtual spirit companion, covert logging is unrelated to the core interaction and increases privacy risk because users are unlikely to expect their messages to be stored behind the scenes.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The passive trigger rules are broad enough to activate on ordinary conversation such as greetings, emotional language, or long-idle sessions, which can cause the skill to inject unsolicited content into unrelated chats. In an agent setting, this creates prompt-routing ambiguity and increases the chance of unintended invocation, especially because the skill is designed to proactively speak during heartbeat or passive contexts.

Vague Triggers

High
Confidence
95% confidence
Finding
Allowing invocation by the spirit's name or the generic word '灵兽' without a command prefix is highly ambiguous and can hijack normal user messages that merely mention those words. Because the skill is instructed to respond proactively and passively, this can override or contaminate unrelated agent behavior, making routing errors and unexpected outputs much more likely.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The passive invocation rules rely on very common phrases like greetings and silence windows, which can cause the skill to activate unexpectedly in normal conversation. In an agent context, even low-stakes unsolicited output can interrupt workflows, create user confusion, and bypass the user's expectation that the skill only runs when explicitly invoked.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The spec derives a persistent companion from user identity and stores companion data on disk, but does not describe user notice, consent, retention limits, or how identifiers are handled. This creates a privacy risk because identity-linked data can be retained and correlated across sessions without the user's informed awareness, especially in shared or enterprise environments.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code performs a file write of interactionHistory after silently collecting part of the user's text, with no user-facing disclosure, prompt, or consent flow. Undisclosed collection plus persistence is a privacy/security issue because stored content may later be accessed, exposed, or repurposed beyond the user's understanding.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal