ClawHub

电子书下载

Security checks across malware telemetry and agentic risk

Overview

This skill appears to automate book downloading from third-party sources and unpack files locally, which needs careful review before use.

Install only if you are comfortable with an assistant finding, downloading, and extracting book files from third-party sources. Confirm that any source is legitimate and that you have rights to the material, and avoid running it on sensitive systems unless downloads are reviewed in a quarantined folder first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger conditions are intentionally broad and explicitly say to activate even when the user only implies they want to obtain a book. In context, this skill automates locating third-party download sources, bypassing access steps, downloading archives, and extracting files to the user's machine, so over-triggering can cause unintended execution of risky file/network actions and facilitate copyright infringement or delivery of untrusted files.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill performs filesystem and network operations on the user's computer, including curl downloads, archive extraction, and cleanup, without requiring informed consent or presenting safety warnings. Because the content is fetched from third-party file-sharing sites and then unpacked locally, this creates a realistic path to malware delivery, overwriting user files, or deleting artifacts before the user can inspect them.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal