ClawHub

Content Pilot

Security checks across malware telemetry and agentic risk

Overview

This is a content-marketing helper, but it is too broadly triggered and under-explains how network/API-key workflows may handle business content or publishing-related actions.

Install only if you intend to use it for marketing-content generation and related content operations. Avoid using generic business prompts to invoke it, review all generated content before any publication or account/subscription action, and do not provide confidential drafts, customer data, embargoed announcements, or secrets unless you are comfortable with the third-party API handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

High
Confidence
96% confidence
Finding
The activation trigger includes the generic phrase '相关业务需求' and similar broad business language, which can cause the skill to activate for many unrelated user requests. Over-broad triggering increases the chance of unintended routing, misleading outputs, and accidental handling of sensitive business content under the wrong skill context.

Vague Triggers

High
Confidence
95% confidence
Finding
The examples show activation from vague prompts like '帮我处理一下业务需求' and '需要批量处理', which normalizes ambiguous invocation for unrelated tasks. In an agent ecosystem, this can hijack routing decisions, cause inappropriate tool selection, and expand access to user inputs that were never intended for a marketing-content skill.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill references network connectivity, third-party services, and API keys without explaining what data may be transmitted externally or what privacy controls apply. That omission can lead users or orchestrators to send internal marketing drafts, customer data, or unpublished announcements to external providers without informed consent or proper safeguards.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal