ClawHub

德胧舆情情报综合工具箱

Security checks across malware telemetry and agentic risk

Overview

This is a coherent public-opinion monitoring skill, but it needs review because it includes broad activation terms, recurring monitoring examples, and outbound Feishu reporting without enough scoping controls.

Install only if you intend to use it for authorized business monitoring. Before enabling automation, replace the fixed Feishu recipient with an approved channel, use low-privilege dedicated credentials, verify any BettaFish package or Docker image, define allowed monitoring topics, and document how scheduled jobs can be disabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list includes broad, common terms such as '舆情', '情报', '监控', and '风险分析', which can cause the skill to activate in unrelated conversations. In an agent environment, accidental invocation can lead to unintended data collection, external searches, or generation of risk reports beyond the user's actual intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list includes very broad terms such as '舆情', '情报', '监控', and '风险分析', which can cause the skill to activate for many unrelated requests. In this skill, unintended invocation is more concerning because activation can lead to web searches, automated monitoring flows, and outbound Feishu reporting, increasing the chance of unnecessary data collection or unintended message delivery.

Vague Triggers

Low
Confidence
90% confidence
Finding
The risk-analysis section defines activation with generic phrases like '风险分析、防控预案、规避建议' but does not specify scope, required inputs, or clear gating conditions. This ambiguity can cause the skill to run sensitive analytical workflows on loosely related user input, producing overbroad or inappropriate outputs and increasing the chance of accidental operational use.

VirusTotal

43/43 vendors flagged this skill as clean.

View on VirusTotal