ClawHub

China Id Validator

Security checks across malware telemetry and agentic risk

Overview

This is a local Chinese ID validator/parser with a disclosed test-ID generator, and I found no hidden network access, persistence, credential use, or destructive behavior.

Install only if you need local Chinese ID validation/parsing. Avoid entering real ID numbers unless necessary, and treat terminal output or chat logs as sensitive. Do not use the generator for account creation, KYC bypass, or any real-world identity workflow; it should be limited to controlled test data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The documentation advertises validation/parsing/conversion, but the usage examples expose an additional generate command. While this is primarily a documentation issue, in an identity-related skill it can mislead reviewers and downstream systems about the tool's true capabilities, reducing transparency around a potentially sensitive function. The context makes this more concerning than a normal utility because national ID number generation can support abusive workflows.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script includes a `generate()` capability that creates valid-looking Chinese ID numbers, which goes beyond the stated validation/parsing purpose in the skill metadata. Even if labeled 'for testing only,' this can facilitate creation of synthetic identifiers that may be misused in fraud workflows, testing against third-party systems, or evasion of controls that only verify checksum and format.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code can generate structurally valid Chinese ID numbers by assembling region/date/sequence values and computing a correct checksum. Because many downstream systems rely on format and checksum validation as a first gate, this capability materially lowers the barrier to producing plausible identity numbers for abuse, despite no clear necessity for the advertised validator/parser function.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal