ClawHub
Back to skill

Security audit

second-brain-digest

Security checks across malware telemetry and agentic risk

Overview

This is a simple Chinese knowledge-card workflow with broad trigger wording but no hidden execution, credential use, or automatic data storage.

Install this if you want a Chinese-language workflow for turning content into reusable knowledge cards. For private meetings, notes, or conversations, review the generated cards before saving them, and make clear when you want only a plain summary instead of knowledge-base card formatting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger conditions are broad enough to capture ordinary summarization, note-taking, or content-organization requests, causing the skill to activate outside its intended niche. This can lead to incorrect routing, unnecessary data retention workflows, or unintended transformation of user content into a structured knowledge-base format when the user only wanted a simple summary.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase "帮我消化这篇文章" is broad enough to overlap with ordinary summarization or note-taking requests, which can cause the skill to activate in many routine conversations. In an agent setting, overbroad routing can unexpectedly ingest user-provided content into a knowledge workflow, increasing the chance of unintended data capture or execution of the wrong capability.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The export request "帮我导出成 Obsidian 格式" is ambiguous because it does not clearly bind the action to a previously generated card set or require confirmation of what content should be exported. That can lead to unintended export of the wrong notes or broader knowledge-base content than the user intended, especially in a persistent memory or notebook environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal