ClawHub

全家返利管家

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it proposes managing family members’ rebate accounts, orders, and withdrawals without clear consent or privacy safeguards.

Review before installing. Only use this skill if every family member has explicitly agreed, each account is separately authorized, every order and withdrawal requires confirmation, and there is a clear plan for who can view, store, export, and delete family shopping and rebate history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are very broad and include generic shopping and savings terms, which can cause the skill to activate in ordinary conversations unrelated to explicit user intent. In a finance-adjacent skill that manages family rebate accounts and withdrawals, unintended invocation raises the risk of exposing sensitive household financial data or prompting actions on behalf of family members without clear consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly centralizes multiple family members' rebate accounts and supports unified withdrawals, but it does not describe consent, access control, or privacy protections for financial and order data. Because this involves aggregating potentially sensitive information across several people and moving funds into a shared account, weak or missing safeguards could enable unauthorized access, coercive control, or privacy violations within a household.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal