ClawHub

企业-底层技术断供隐患排查

Security checks across malware telemetry and agentic risk

Overview

The skill is a prompt-only supply-chain auditor, but it explicitly asks the agent to suggest routes around export controls, so it needs review before installation.

Install only if you are comfortable reviewing and constraining the prompt for lawful compliance use. Before use, remove or rewrite the sections about third-country routing, licensing workarounds, and design changes intended to avoid controlled technology, and narrow activation to explicit supply-chain security, export-control compliance, or resilience assessment requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger scope activates on broad requests about a company's technology, future prospects, or self-reliance, which can capture ordinary business analysis queries far beyond a narrowly defined security-audit use case. Overbroad activation increases the chance the skill is invoked in inappropriate contexts and then applies its sanction, dependency, and survival-analysis workflow where it was not requested, creating unnecessary exposure to sensitive or dual-use guidance.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger covering questions about a company's underlying technology and development prospects is ambiguous and not clearly bounded to defensive supply-chain risk assessment. Because it can match common research or investment-style questions, it may activate this skill in contexts where its detailed sanctions and workaround-oriented instructions are misaligned and potentially harmful.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The skill explicitly instructs the model to identify '绕道路径' including third-country transshipment, technology licensing, and design avoidance of controlled technology. This is dangerous because it operationalizes methods for bypassing export controls and sanctions, directly enabling evasion behavior rather than compliance analysis.

Ssd 4

High
Confidence
98% confidence
Finding
In context, the instruction flow moves from identifying chokepoints and sanctions exposure to simulating cutoff scenarios and then recommending concrete breakout paths, including sanctions-evasion style options. This cumulative structure makes the skill more dangerous than a neutral risk-assessment tool because it can transform defensive analysis into actionable assistance for circumventing export restrictions and supply controls.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal