ClawHub

AI 智能家庭厨助

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cooking assistant that reads a bundled recipe database and can create disclosed local HTML recipe reports, with only modest privacy and accidental-activation caveats.

Installers should expect this skill to handle recipe and meal-planning prompts, optionally use external web search for gaps, and create local HTML report files. Avoid entering sensitive health, allergy, household, or dietary details if you do not want them used in search queries, and review generated report files if disk persistence matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Low
Confidence
91% confidence
Finding
The README explicitly states the skill uses '联网搜索补充' but does not warn users that their recipe queries, ingredients, or dietary preferences may be transmitted to external services. In a cooking assistant this is not highly sensitive by default, but undisclosed outbound data flow is still a real privacy and transparency issue, especially if users enter health-related dietary constraints or household information.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list contains many short, everyday phrases that can cause accidental activation in unrelated conversations. Unintended invocation increases the chance of unnecessary file operations, unexpected HTML generation, or confusing context switches, especially because the skill advertises automatic output behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that it automatically generates an interactive HTML report but does not clearly warn users that a file will be written. Silent file creation is a security and privacy concern because it creates persistent artifacts on disk without explicit user awareness or consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal