ClawHub

Multi Platform Trend

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public trending-topic lists from Chinese content platforms and does not show credential access, hidden persistence, destructive behavior, or data exfiltration.

Install this if you want an agent to fetch public trend data from Zhihu, Weibo, Baidu, and Bilibili. In locked-down or privacy-sensitive environments, confirm before running it because those platforms may see request metadata such as IP address and user-agent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are broad everyday queries such as “今天什么热点” and “帮我看看热搜”, which can easily appear in normal conversation and cause unintended activation of the skill. In an agent environment, accidental invocation may lead to unexpected external network requests, retrieval of third-party content, and confusing or privacy-impacting behavior without clear user intent.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The README describes scraping or fetching data from external platforms and notes that some environments may require a proxy, but it does not clearly warn users that the skill performs outbound network access to third-party services. This can surprise users or administrators in restricted environments and may create compliance, privacy, or policy issues if network activity occurs without explicit disclosure.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrase "今天什么热点" is broad and overlaps with normal conversational language, so the skill could activate when the user is merely asking a general question rather than intending to run this specific tool. Unintended activation may cause unnecessary network access and confusing behavior, especially because the skill reaches out to external services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description emphasizes real-time scraping from multiple external platforms but does not clearly tell users, at the point of use, that it will send network requests to third-party sites. This is risky because users may unknowingly trigger outbound requests, exposing metadata such as IP address or request fingerprints to those services.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal