ClawHub

qcstory

Security checks across malware telemetry and agentic risk

Overview

This is a text-only Chinese QCstory coaching skill with no code or system access; its main caution is broad activation wording that could start the workflow unexpectedly.

Install this if you want a Chinese QCstory improvement coach. Be aware it may start from fairly general work-improvement prompts, and avoid entering confidential business details unless you are comfortable including them in the chat context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger conditions are broad enough to activate on generic statements like wanting to improve a work problem or solve something systematically. That can cause unintended skill invocation, overriding the user's actual intent or steering unrelated conversations into the skill's rigid workflow, which is a prompt-safety and UX integrity issue.

Natural-Language Policy Violations

Medium
Confidence
77% confidence
Finding
The skill description and behavior are written to operate in Chinese without checking the user's language preference. This can create unwanted language switching, reduce transparency, and make the interaction less understandable, especially if auto-invoked from broad triggers.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill declares it should respond to 'any trigger word', which creates an overly broad activation surface and increases the chance of unintended invocation in unrelated conversations. In agent environments, ambiguous triggering can cause the skill to hijack normal dialogue flow, collect unnecessary user/process data, or interfere with other skills and routing logic.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal