ClawHub

Recipe Scout — Chinese Recipes

Security checks across malware telemetry and agentic risk

Overview

This is a coherent recipe-research skill that can optionally save recipe notes, with no evidence of hidden or destructive behavior.

Install if you want Chinese recipe research and optional Obsidian note export. Before exporting, confirm the target folder and filenames, especially if your vault syncs to other devices, and prefer public recipe pages over logged-in browser sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation description is broad enough to match common cooking-related requests such as meal ideas, weeknight cooking, or 'how to cook X,' which increases the chance the skill is triggered when the user did not explicitly intend recipe retrieval or file-export behavior. In this skill's context the danger is limited because the domain is benign, but over-broad auto-invocation can still cause unnecessary web access, unexpected tool use, and downstream side effects like recipe-note generation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly states it may write markdown files to `/home/node/vault/Recipes/Chinese/` or a fallback workspace path, but it does not require an explicit user confirmation or warn about filesystem modification. Even in a low-risk recipe skill, silent file creation is a meaningful side effect that can surprise users, overwrite curated notes, or clutter synced knowledge bases such as Obsidian vaults.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal