ClawHub

AI纹身设计指南

Security checks across malware telemetry and agentic risk

Overview

This is a coherent tattoo advice and report-generation skill, with ordinary caution needed for localized safety advice and a third-party chart script in generated HTML reports.

Before installing, treat this as advisory tattoo-planning content, not medical or legal advice. Confirm your country or region before relying on pricing, minor-consent rules, or studio requirements, and consult a licensed tattoo professional or clinician for health risks, allergies, skin conditions, infection signs, pregnancy, medication, or immune issues. Generated reports load Chart.js from a CDN, so open them only in a browser context where that third-party script dependency is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The template loads Chart.js directly from a third-party CDN, which introduces external code execution and a network dependency into an otherwise local HTML report. If the CDN response is tampered with, unavailable, or replaced, the rendered report can execute untrusted JavaScript in the user's browser; this risk is somewhat reduced by the non-sensitive tattoo-report context but is still unnecessary supply-chain exposure.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger condition '用户询问任何与纹身设计、风格、部位、安全、护理相关的问题' is extremely broad and can activate the skill for ordinary conversation that only tangentially relates to tattoos. Over-broad routing increases the chance the agent injects specialized advice or HTML-report behavior when the user did not clearly request this skill, causing scope creep, inappropriate guidance, or policy/context mismatches.

Vague Triggers

Low
Confidence
84% confidence
Finding
The condition covering users who 'share tattoo ideas and hope for design suggestions' relies on broad natural phrasing and can be matched from casual brainstorming rather than a clear skill invocation. This can lead to unintended skill loading, collecting unnecessary personal preference data, or prematurely steering the interaction into a structured consultation flow.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
Hard-coding China-specific pricing, regulation, and legal guidance without explicit user locale confirmation can cause the skill to provide inaccurate or inapplicable safety and compliance advice. In a health- and legality-adjacent domain like tattooing, wrong jurisdictional guidance may mislead users about minors, hygiene requirements, artist qualifications, or expected costs.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger condition is broad enough that the skill may load during ordinary conversation whenever tattoos or placement are mentioned, increasing the chance of unintended activation and unnecessary injection of skill guidance into unrelated contexts. In an agent system, over-broad routing can cause scope creep, privacy exposure from over-collecting user context, and confusion if the model applies tattoo-specific recommendations when the user did not explicitly request them.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The file provides detailed tattoo style guidance and frames recommendations for permanent body modification without an upfront warning that tattooing is irreversible, has health risks, and should be discussed with qualified professionals. In this skill context, omission is more concerning because the content is designed to influence user decision-making around elective, permanent procedures.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The watercolor section recommends the style for '女性用户' without framing it as a common preference or offering user-centered alternatives, which can encode unnecessary gender stereotyping into the skill's advice. In a personalization skill, this can lead to biased or exclusionary recommendations and reduce recommendation quality for users who do not match the stereotype.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal