ClawHub

CN Life Toolkit - 中国生活服务工具包

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only helper for China local-service lookups, with no executable install behavior; the main risk is sharing location, route, or parcel details with external services.

Install only if you are comfortable using external China-based service providers for weather, map, traffic, fuel-price, transit, and parcel lookups. Treat courier tracking numbers and precise addresses as sensitive, and confirm before sending them to third-party APIs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The example trigger phrases are extremely generic everyday requests such as asking about weather, traffic restrictions, oil prices, parcel tracking, and transit. In an agent platform, broad triggers can cause the skill to activate unexpectedly during normal conversation, increasing the chance of unintended routing, data exposure to the skill, or interference with other skills handling similar intents.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger condition is broadly defined as any request about common local life services, which overlaps with a large range of everyday conversations. This can cause unintended invocation of the skill and unnecessary routing of user queries into external-service workflows, increasing privacy and reliability risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The parcel-tracking feature processes sensitive data including tracking numbers, real-time location, delivery status, and courier contact details, but the skill description does not warn users or define handling limits. If triggered casually or logged improperly, this can expose personal movement, recipient information, and third-party contact data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal