ClawHub

AI珠宝鉴定与选购

Security checks across malware telemetry and agentic risk

Overview

This jewelry appraisal skill is purpose-aligned and does not show hidden data access, credential use, persistence, or destructive behavior.

Use this skill for jewelry research and appraisal-style guidance, but avoid uploading certificates with personal or transaction details unless needed. Treat market prices and investment suggestions as references, verify with authoritative labs or professionals before buying, and remember that optional web lookup may expose search terms to the agent's search tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list includes very broad, common consumer terms such as jewelry categories, certificates, metals, and investment-related phrases, which can cause the skill to activate outside the author's intended scope. Over-broad activation increases the chance that unrelated conversations, sensitive uploads, or requests better handled by other skills are routed here, leading to inappropriate web searches or processing of user-provided images/documents.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger conditions describe many broad jewelry-related scenarios but do not define boundaries for non-activation, fallback behavior, or ambiguity handling. In an agentic system, this can lead to over-selection of the skill for general shopping, image, pricing, or document questions, which increases the risk of unnecessary external searches and handling of potentially sensitive user data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly supports user-uploaded certificate images and web searches for real-time market data, but it does not warn users that uploaded documents and query content may be transmitted to external tools or services. Certificate images can contain identifying or transaction-related details, so the lack of a clear privacy and data-transfer notice creates a meaningful risk of inadvertent exposure.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal