ClawHub

对标筛选

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only benchmark-filtering skill with minor routing and language-default caveats, but no code execution, data access, or hidden behavior.

Install this if you want Chinese-language help screening creator or one-person-business benchmarks. Be aware it may answer in Chinese by default and is designed for quick filtering, not full case research or decisions based on private data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description is broad enough that an agent could invoke it for many loosely related benchmark-selection or advice tasks, causing scope creep and misrouting. This is primarily a security-quality issue because over-broad triggers can override more appropriate skills or workflows, leading to incorrect handling of user requests rather than direct compromise.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The overview says to use the skill whenever the user needs help choosing who to study or copy from, but it does not distinguish this from ordinary strategic advice or general research assistance. That ambiguity can cause inappropriate activation and steer the agent into a constrained workflow that may not fit the user's intent.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
Imposing Chinese as the default output language without explicit user preference can cause the agent to ignore or override the user's language context. In multi-skill systems, this is a policy-control issue because a skill should not silently change response language unless the user asked for it or the system established that preference.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal