ClawHub

company-search-kimi

Security checks across malware telemetry and agentic risk

Overview

This is a public-source company research skill that is broad and Chinese-oriented, but its behavior is disclosed and proportionate.

Install this if you want Kimi-based public company research reports. Be aware that company names, search terms, and research targets may be sent to the configured search/fetch tools, and the default workflow is Chinese-language and due-diligence style. Verify important legal, financial, or reputational conclusions against the cited sources before relying on them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill’s activation criteria are extremely broad, covering generic company-related research requests that many assistants may receive in normal conversation. This can cause unintended invocation, leading the agent to collect, structure, and present sensitive corporate or personal information in contexts where the user did not explicitly request this specialized workflow.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description is broad enough to match many generic 'company research' requests without clear trigger boundaries, which can cause the agent to invoke this skill in situations the user did not intend. Over-broad routing increases the chance of unnecessary external searching/fetching, incorrect tool use, and leakage of user context to third-party tools.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The description specifies Chinese-language behavior ('生成结构化报告') without indicating that this depends on user preference or locale, which can override user intent and produce outputs in an unexpected language. While not typically a direct code-execution issue, it can degrade reliability, mis-handle user instructions, and increase the chance of unsafe or inappropriate autonomous behavior in multilingual contexts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal