ClawHub

File Cleaner ZH

Security checks across malware telemetry and agentic risk

Overview

This file organizer is not malicious, but it can immediately move many user files after broad Chinese trigger phrases without a preview or confirmation.

Install only if you are comfortable with a skill that can reorganize Desktop, Downloads, Documents, or an explicit Windows path as soon as you ask it to organize. Use it first on a test folder or backed-up directory, and avoid invoking it on important folders until it adds preview, confirmation, and undo behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger keywords are very broad generic terms like '整理' and '分类', which can match normal conversation and cause the skill to activate unexpectedly. In a file-organizing skill, accidental activation is risky because it could initiate file moves, classification, or duplicate cleanup on unintended directories, leading to user confusion or data disruption.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises organizing files and cleaning duplicates but provides no warning that these actions can move, rename, or delete user files. In this context, the absence of warnings increases the chance that users will invoke potentially destructive operations without understanding the consequences, especially for duplicate removal where false matches can cause permanent data loss.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill performs bulk file moves immediately after parsing a natural-language request, without any explicit confirmation, preview, or dry-run step. Because it operates on common user directories like Desktop, Downloads, and Documents, an ambiguous or accidental trigger can unexpectedly reorganize large numbers of files and disrupt user workflows or software expectations.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal