ClawHub

English Visual Vocabulary

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a normal English vocabulary learning helper that creates local study materials and may use image tools, with no hidden or destructive behavior found.

Install if you want a vocabulary-study assistant that can create local study files and use image tools. Use explicit prompts to invoke it, and be aware that image search or generation may send requested words or topics to external services depending on the host agent’s tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README promotes very broad natural-language trigger phrases such as '帮我背单词' and '制定一个30天英语学习计划', which can cause the skill to activate unintentionally in ordinary conversation. Unintended activation can lead to unexpected tool use, confusion, or secondary privacy issues if the skill invokes image generation or search features without the user explicitly intending to use this skill.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises a network image search capability but provides no user-facing warning about what data may be sent to third-party services, what queries are logged, or how retrieved content is handled. In a learning tool, user-entered vocabulary, interests, or study topics may be transmitted externally, creating avoidable privacy and content-safety risks if users are not informed or given consent controls.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases such as '背单词' and '帮我学英语' are broad enough to match normal conversation, which can cause the skill to activate unintentionally. Unintended invocation can redirect user requests, create confusion, and expose user content or context to the skill when the user did not explicitly mean to use it.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest trigger list contains generic phrases like '学英语' and 'vocabulary' without scope constraints, increasing the chance of accidental activation across unrelated conversations. This is dangerous because it lets the skill intercept broad classes of user input and potentially act on them without clear user intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal