ClawHub

Ddzaishot

Security checks across malware telemetry and agentic risk

Overview

This appears to be a purpose-built Dou Dizhu game assistant, but it needs review because it can capture the full screen, save screenshots, and automate mouse clicks with limited scoping or safety controls.

Review before installing. Use only if you are comfortable with the skill reading your visible screen and potentially controlling mouse clicks during gameplay. Hide sensitive windows before scanning, check the logs directory for saved screenshots, use calibration carefully, and enable auto mode only when the game window is focused.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly advertises automatic screen recognition and mouse-click automation, which are privacy- and system-impacting capabilities, but provides no warning, consent flow, scope limitation, or safety guidance. In this context, the combination of screen capture plus input automation can expose sensitive on-screen information and enable non-transparent automated interaction with other applications, making the omission materially risky.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger text is very broad: '当你需要帮助用户玩斗地主或分析牌局时,使用此技能。' This can cause the skill to activate on loosely related requests, increasing the chance of unintended execution of screen-scanning, input-assistance, or other sensitive functionality without a clearly narrow user intent boundary.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code performs GUI automation that can click game controls and trigger actions after only an internal enabled flag and a delay, without any runtime confirmation, visible safety warning, target-window validation, or bounds checking on the requested card indices. If invoked in the wrong context or while focus is on another application, it could generate unintended clicks and actions in the user's active session.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
capture_full() performs a full-screen screenshot, which can collect unrelated sensitive information visible on the desktop, including messages, credentials, or other applications. In a game-assistant context this is somewhat expected, but the lack of user-facing notice, scope limitation, or consent increases privacy risk because capture is broader than necessary.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
save_screenshot() writes a screenshot to disk without warning, which creates a persistent local artifact that may contain sensitive on-screen data long after capture. Persistence materially increases risk versus transient in-memory processing because other local users, backups, or malware could later access the saved image.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal