ClawHub

网站开发辅助决策

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward website feasibility research and HTML report generator, with only low-impact file creation and trigger-scope cautions.

Install only if you want an agent to perform public web research and create local HTML feasibility reports. Choose a clear output filename, avoid overwriting existing files, and review generated reports before opening them if they include content copied from untrusted web pages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger examples include broad conversational phrases such as asking whether a website is feasible, which can cause the skill to activate during normal discussion without deliberate user intent. Unintended invocation becomes more concerning here because the skill may launch searches and generate output artifacts, consuming resources and creating files unexpectedly.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill states that it generates an HTML report but does not clearly warn users that this involves writing a file to disk. Even if the file content is benign, silent artifact creation can violate user expectations, clutter the environment, or overwrite files if output handling is poorly controlled.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The Python example writes directly to `output.html` in the current working directory without any warning, path validation, or overwrite protection. This can lead to accidental overwriting of an existing file or unexpected persistence of generated content, especially in automated environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal