ClawHub

opc-board

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed advisory skill for stress-testing solo business ideas, with no executable code, dependencies, credential use, persistence, or network behavior found.

Install only if you want an opinionated Chinese-oriented feasibility review workflow. Be aware it may activate on broad idea-review phrases and its detailed scoring rules are mostly in Chinese, so English-only users should review the included README and templates before relying on its business judgments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase is broad and overlaps with common conversational requests such as asking for a general opinion on an idea. In an agent system that auto-selects skills from natural language, this can cause unintended invocation, leading the skill to activate when the user did not explicitly request this evaluation workflow.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill advertises very broad trigger phrases such as common idea-evaluation requests in both Chinese and English. This can cause unintended invocation in normal conversation, leading the agent to switch into this skill when the user did not explicitly ask for it, which is a prompt-routing and least-surprise problem rather than code execution risk. In this context, the skill is advisory and not directly high impact, but accidental activation could still derail user intent or suppress better-suited skills.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill content is entirely in Chinese while the metadata and likely invocation contexts include both Chinese and English use cases. This can cause operators or users to misunderstand scoring rules, constraints, or outputs, leading to incorrect feasibility assessments and unsafe downstream decisions. In an agent skill, language-only instructions also reduce auditability and increase the chance that hidden or risky logic goes unnoticed by reviewers who do not read the language.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill content is written entirely in Chinese and repeatedly assumes Chinese-language interaction without offering the user a language choice. This can exclude or confuse users who invoked the skill in another language, causing misleading outputs, degraded usability, and potential consent/accessibility issues rather than direct security compromise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal