ClawHub

Meme Lord

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Chinese meme helper; its web searches and broad meme triggers create privacy and accidental-activation caveats, but they are disclosed, purpose-aligned, and low impact.

Install only if you are comfortable with meme lookup requests being sent to external search or hot-list sites. Avoid using private, unreleased, personal, or confidential phrases as lookup text, and invoke the skill with explicit meme-related wording if accidental activation would be disruptive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The top-level trigger list includes broad terms like “meme”, “整活”, and “抽象”, which can appear in ordinary conversation and cause unintended skill activation. In an agent setting, overbroad activation can unexpectedly switch behavior, trigger networked lookups, and override the user’s intended workflow.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Feature-level triggers such as “什么意思” and “出处是什么” are too generic and may match many non-meme queries. This increases the chance of the skill being invoked outside its intended context, potentially causing irrelevant responses or unnecessary external searches.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The creation-mode trigger list contains colloquial terms like “整活” that are broad and commonly used beyond meme generation. This can lead to accidental activation of creative behavior when the user did not explicitly request this skill, reducing predictability and control.

Vague Triggers

Low
Confidence
82% confidence
Finding
The trending-mode phrase “热梗” is somewhat broad and may be used casually without a clear request to invoke this skill. Because this mode drives external lookups of hot lists, accidental activation can create unnecessary network activity and privacy surprises.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly requires web searches and third-party source retrieval but does not inform the user that their query or related terms may be sent to external services. This creates a transparency and privacy risk, especially if user-provided text contains sensitive, personal, or confidential content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The hot-trend feature mandates checking external platforms such as Baidu, Weibo, or B站 without warning the user about network access. Users may not expect that invoking a simple “recent memes” request results in external requests, which can expose interests, metadata, or query terms to third parties.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal