ClawHub

Darcy Sexy Brain

Security checks across malware telemetry and agentic risk

Overview

The skill appears to provide a sales/research workflow with disclosed web-search behavior, but users should watch for accidental activation and unnecessary external searches.

Install only if you want a sales/research skill that may use web search for market, trend, or competitor information. Prefer explicit activation, review searches before they run, and avoid giving it private business details unless needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The listed trigger keywords are generic and common in normal conversation, which makes accidental invocation likely. Because this skill imposes a strong response style and workflow, unintended activation can distort outputs, cause unnecessary complexity, and potentially invoke external search behavior when the user did not ask for it.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The listed trigger keywords are generic and common in normal conversation, which makes accidental invocation likely. Because this skill imposes a strong response style and workflow, unintended activation can distort outputs, cause unnecessary complexity, and potentially invoke external search behavior when the user did not ask for it.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The search activation rules are underspecified, especially phrases like '需要外部數據支持' and mentions of competitors or trends, which can be interpreted very broadly. This increases the chance of unnecessary web access, retrieval of untrusted external content, and expansion of the attack surface through tool-triggered prompt injection or data contamination.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal