ClawHub
Back to skill

Security audit

AI半导体工程师

Security checks across malware telemetry and agentic risk

Overview

This semiconductor research skill is mostly coherent, but it may send proprietary engineering details to external search services without clearly warning the user.

Review this skill before installing it in confidential engineering environments. Use it only for non-sensitive semiconductor research unless you are comfortable with search queries being sent externally, and avoid including proprietary design files, process details, tool logs, customer data, or unreleased product information in prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill declares very broad trigger terms such as '半导体', '芯片', 'IC设计', 'EDA', and related generic industry words, which can cause the skill to activate in conversations that only tangentially mention semiconductor topics. Unintended invocation can expose user prompts to the skill's instructions and any network-backed behaviors, increasing privacy and prompt-routing risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The markdown explicitly instructs the agent to use network-backed searches for IC design and EDA guidance, but it provides no warning that user content or derived queries may be sent to external services. In a professional semiconductor context, prompts may contain proprietary design details, tool configurations, process data, or failure-analysis information, so silent external transmission creates a meaningful confidentiality risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal