ClawHub

Wenyan Compress

Security checks across malware telemetry and agentic risk

Overview

This is a lightweight text-compression skill with no hidden access, but its Python helper is only a placeholder and may echo your original text instead of compressing it.

Safe to install for ordinary text transformation experiments. Do not rely on the Python helper as a real compressor or redaction step: it may print the original input back. Review outputs before using them for legal, financial, medical, contractual, or other exact records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The implementation materially misrepresents the skill's behavior: it does not perform compression, fidelity checks, or ratio statistics, and instead echoes the supplied input back in a placeholder string. In an agent setting, this can leak sensitive user input to logs, downstream tools, or callers that expect transformed/minimized output, and it can cause unsafe automation decisions based on false assumptions about redaction or compression.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The docstring states that the function calls a model to compress text, but the function actually returns the original text and style embedded in a placeholder. This discrepancy is security-relevant because callers may trust the function to transform or minimize sensitive content before storage, display, or forwarding, when in reality the raw input is preserved and exposed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal