ClawHub

Vocational Ed Policy Scraper

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed scraper for public vocational-education policy pages and does not show hidden data access, credential use, or automatic destructive behavior.

Install only if you want a tool that fetches public Chinese vocational-education policy pages and writes local result files. Review the optional cron and ClawHub publishing examples before running them, especially commands that remove files or publish, rename, or delete skills.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The implementation notes include a WSL publishing workflow that invokes PowerShell and performs filesystem operations unrelated to the stated scraping functionality. Embedding operational command guidance inside a skill increases the chance an agent or user will execute privileged local commands, expanding the skill's effective behavior beyond web scraping into local environment manipulation.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The description is broad enough that the skill could be invoked for a wide range of loosely related education-policy tasks, which may cause unintended activation. Unintended triggering is not directly exploit code execution, but it can lead to unnecessary network access, scraping, or use of higher-risk actions in the wrong context.

Natural-Language Policy Violations

Medium
Confidence
75% confidence
Finding
The documentation recommends maintaining a Chinese-only description for user-visible content without requiring user language preference or opt-in. This can impair informed consent and transparency for non-Chinese-speaking users, especially when the skill performs scraping and file operations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal