ClawHub

中国效率工具集

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent China-focused lookup toolkit, but users should understand that lookup identifiers are sent to third-party public APIs.

Install only if you are comfortable sending queried tracking numbers, phone numbers, and IP addresses to public third-party services. Avoid using it for sensitive, private, or regulated identifiers until the author documents the providers clearly and switches IP lookup to HTTPS.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly handles sensitive user-supplied data such as phone numbers, IP addresses, and package tracking numbers, and states that it relies on public third-party APIs without warning users that these identifiers will be transmitted off-platform. This creates a real privacy and data-sharing risk because users may unknowingly disclose personal or quasi-personal data to external services with unknown retention, logging, or jurisdictional practices.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The phoneLocation function sends a user-supplied phone number to a third-party API (cx.shouji.360.cn) with no notice, consent flow, minimization, or privacy documentation. Phone numbers are personal data, and silently transmitting them to an external service creates privacy, compliance, and trust risks if users do not realize their input leaves the local tool.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The ipLocation function transmits user-supplied IP addresses to ip-api.com, and does so over plain HTTP rather than HTTPS. This is dangerous both because the user is not warned that potentially sensitive network-identifying information is shared with a third party, and because unencrypted transport exposes the queried IP and returned location data to interception or tampering in transit.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal