ClawHub

多平台返利管家

Security checks across malware telemetry and agentic risk

Overview

The skill appears useful for rebate tracking, but it handles account-linked rebate and order data without enough disclosed privacy and consent boundaries.

Install only if you are comfortable connecting rebate or shopping-account data. Before use, confirm which platforms it accesses, what order or account fields it reads, whether data is stored or shared, and require explicit confirmation before any sync or report generation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list contains generic terms such as '返利管理', '返利报告', and '省钱报告' that could be invoked during ordinary conversation, causing the skill to activate outside clearly intended contexts. For a skill dealing with multi-platform rebate accounts and order tracking, accidental invocation increases the chance of exposing or soliciting sensitive account and purchase-history data without sufficient user intent confirmation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill is explicitly designed to aggregate rebate accounts across multiple platforms and sync order-status data, which implies handling sensitive financial, shopping, and account-linked information. Because the description omits any privacy notice, consent flow, data minimization statement, or security boundary, users may not understand the scope of data access and the system may over-collect or expose cross-platform behavioral data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal