ClawHub

uniapp-test

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only uni-app testing workflow whose file edits and test commands are disclosed and aligned with its purpose, but users should invoke it deliberately.

Install this only if you want an agent to help with uni-app automated tests. Use it in trusted project folders, review diffs before keeping changes, and confirm the exact npm test command before running browser, emulator, or device tests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger description is extremely broad and explicitly says the skill should be used whenever users mention a wide range of common uni-app, testing, page, file, and command terms, even if they do not explicitly ask for automated testing. This can cause accidental invocation in unrelated development conversations, increasing the chance the agent performs file analysis, test generation, or test-running workflows in contexts the user did not intend.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill declares that it should be used whenever a broad set of common uni-app-related terms appear, even if the user did not explicitly ask for automated testing. That can cause accidental invocation of a workflow that reads project files, edits or creates test files, and may run local test commands, increasing the chance of unintended code modification or command execution from an ambiguous prompt.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow instructs the agent to create or modify `*.test.js` files and run `npm run test:*` commands, but it does not clearly require explicit user consent for those state-changing actions. In an agentic environment, this can lead to unintended local command execution, file creation, or overwriting changes, which is especially risky because test runners may execute arbitrary project-defined scripts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal