ClawHub

蜂兵虾将

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it automatically builds persistent user memory and profiles across broad use cases without enough user control or retention limits.

Install only if you are comfortable with the skill saving reusable profile, preference, history, goal, and workflow data to local memory files. Avoid using it with regulated, confidential, medical, financial, or personal material unless you first add clear consent, retention, review, and deletion controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (33)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill advertises broad industry monitoring, content creation, trend prediction, and scheduled reporting, but the file primarily defines mandatory persistent memory behavior and mentions capabilities not substantiated in the implementation. This mismatch is security-relevant because users may consent to one function while the skill silently performs broader data collection and stateful profiling than expected.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The documented behavior adds automatic cross-conversation memory collection and persistence of user history/preferences, which is materially different from simple monitoring/content assistance. Persisting user data across sessions increases privacy risk, especially when done by default and without a clear necessity tied to the advertised function.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill mandates automatic profiling of user preferences, industries, and interaction history, even though hot-topic monitoring does not inherently require persistent identity-style profiling. This creates unnecessary data accumulation and risk of overcollection, especially in sensitive domains like finance or healthcare mentioned in the description.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The module can write arbitrary memory entries into shared per-system files and later ingest them, creating a built-in data propagation channel across agent contexts. In a skill marketed for autonomous monitoring, reporting, and execution across industries, this materially increases the chance that sensitive user or business data is copied beyond its original scope without isolation or consent.

Context-Inappropriate Capability

Low
Confidence
73% confidence
Finding
The code automatically syncs stored methodologies to other internal systems ('signal' and 'goal') without any visible consent gate, scope restriction, or data-classification check. If the methodologies contain sensitive user-derived operational knowledge, this broadens data exposure across subsystems and can enable unintended secondary use beyond the user's expectations.

Intent-Code Divergence

High
Confidence
89% confidence
Finding
The code advertises multiple independent triggers for deep-analysis escalation, but the real logic only sets needAnalysis when attentionScore >= 80 during earlier evaluation. In an automation-oriented skill, this can silently suppress required escalation for high-risk items that meet other documented triggers such as discussion volume, emotion intensity, or worldview impact, causing operators to miss important events and make decisions based on false assumptions about system coverage.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The summary states that discussion volume >= 30000 automatically marks an item as S-level, but the actual S-level assignment is based on a composite attentionScore and does not independently enforce that rule. This discrepancy is dangerous in a monitoring workflow because users may trust the displayed policy and fail to manually review items they believe the system has already escalated, creating a false sense of protection.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documented design expands the skill from business monitoring/content creation into persistent user-state profiling, including growth trajectory and emotional-state analysis tied to long-term memory layers. In this context, that is a material scope creep: it enables collection and reuse of sensitive personal inferences without a clear need for the advertised functionality, increasing privacy and misuse risk.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file explicitly states permanent storage for workflow templates and long retention for user-related memories that are not clearly disclosed in the public description. Undisclosed persistence creates a transparency and privacy problem because users may reasonably expect task assistance, not indefinite retention of behavioral/workflow history.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Emotion-state analysis is a sensitive inference capability and is not justified by the stated purpose of hotspot monitoring, content strategy, trend prediction, and work logging. Adding emotional profiling creates disproportionate privacy risk and can be used to manipulate recommendations, automate decisions, or build sensitive user profiles unrelated to the core service.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Long-term retrieval from L3-L4 user history for insight generation enables profiling across sessions beyond what a workflow assistant needs to function. Because the skill is marketed as broadly applicable across industries, including sensitive domains like finance and healthcare, this generalized historical profiling materially increases the risk of overcollection, sensitive inference, and secondary use.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The workflow introduces personal-state, growth, and emotion analysis capabilities that are not clearly disclosed in the skill's business-oriented description. Undisclosed collection and inference about emotional state or personal history can lead users to share sensitive data without informed consent, increasing privacy and profiling risk.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file is presented as a demonstration/reporting script, but it performs a persistent write via ai.memory.addToL3, which changes long-lived system state. Hidden or non-obvious state mutation in a demo is dangerous because a user may run it expecting read-only output while it silently alters future system behavior or memory contents.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The summary states that existing settings are unchanged, yet the code writes configuration-like data into memory and labels it as already updated/effective. This mismatch is dangerous because it misleads operators about side effects, undermines trust in the script, and can cause accidental configuration drift when users believe they are only viewing a demo.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill uses extremely broad, cross-domain language such as applying to 'all industries' and performing automatic execution, making it likely to trigger in many unrelated or sensitive contexts. In practice, overbroad activation expands the chance that the skill handles requests involving sensitive personal, medical, financial, or business data without context-specific safeguards.

Missing User Warnings

High
Confidence
98% confidence
Finding
The markdown states that cross-session memory is enabled and will automatically save and read user preferences and history, but it does not provide a user-facing privacy warning, consent flow, retention terms, or deletion controls. Silent persistent storage of behavioral data is dangerous because users may disclose sensitive information without understanding that it will be retained and reused later.

Missing User Warnings

High
Confidence
99% confidence
Finding
The workflow requires reading and writing persistent memory files on every run, including updating user profiles and session indexes, without any user warning that files will be modified. This is dangerous because it changes local state automatically, creates durable records of interaction data, and may expose sensitive preferences or histories to later access by other components or users of the environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill promises automatic report generation and 'automatic execution' without clarifying what actions may occur or how user data and system state may be affected. Ambiguous autonomous-action claims are risky because users may not realize that background processing, file writes, or other side effects can occur without interactive approval.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly describes adaptive behavior to 'skip confirmations' / '减少确认' based on user profile signals such as high completion rate. In a skill advertised as capable of broad industry use and 'automatic execution,' reducing confirmations without clear safety boundaries can cause unintended actions, especially for sensitive workflows affecting finance, healthcare, or operational decisions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The memory system persistently writes collected content to local disk in clear JSON/Markdown files across multiple tiers, with no indication of notice, consent, retention limits, or sensitivity handling. This creates a privacy and security risk because secrets, personal data, or regulated business information may be stored longer than expected and exposed to other local processes or operators.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The module stores sensitive personal goal and motivation data in persistent memory and later synchronizes profile/value data to other systems, but the code shows no consent gate, minimization, access control, or retention handling. In a skill marketed for broad cross-industry use, this increases the risk of privacy violations, unauthorized internal data propagation, and misuse of intimate behavioral profiling data.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The reset instructions tell users to delete the memory directory recursively without a prominent warning that this destroys persisted data irreversibly. In a skill centered on long-term memory and knowledge retention, that makes accidental data loss materially more dangerous because users may follow the documented command expecting a safe reset.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code stores evaluated hotspots, statistics, and duty-person names in shared memory with no consent, retention notice, or access-control context. In a real deployment, this can leak operational schedules, personnel identities, and potentially sensitive monitoring data across users, agents, or later sessions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document describes broad cross-platform information collection and user historical data retention without visible privacy notice, consent flow, retention limits, or handling safeguards. In a skill spanning many industries, this is dangerous because users may provide regulated or sensitive information while believing the system is only doing ordinary content/workflow assistance.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Persisting user progress after interruption means the system retains state and possibly sensitive intermediate inputs, but the workflow does not warn users that their data will be saved. Hidden persistence increases the chance of surprise retention, privacy complaints, and unauthorized reuse of prior context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal