ClawHub

gate-exchange-welfare

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed, read-only Gate welfare lookup skill; its broad trigger examples are a routing concern but not enough to make the package a Review item.

Install only if you intend to use it with a Gate MCP session for welfare rewards. Use an API key restricted to Welfare:Read, do not paste secrets into chat, and be aware that generic task or reward questions may activate this skill unless your agent asks for clarification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The changelog documents broad trigger phrases such as 'what welfare' and 'how to claim rewards', which are generic enough to match unrelated user requests and cause unintended skill activation. In a financial/welfare workflow, accidental invocation can misroute conversations, expose account-related flows unnecessarily, and increase the chance the agent presents sensitive eligibility or rewards guidance in the wrong context.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill advertises very broad triggers such as 'welfare center', 'new user tasks', and 'claim reward', which can overlap with many common support or rewards-related user questions. This can cause unintended invocation and misrouting, especially since the skill performs identity-based branching and may intercept requests better handled by narrower account, assets, or trading flows.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger scenario uses broad terms like 'benefits', 'rewards', and 'tasks', which can match common conversational requests outside the intended Gate welfare context. This can cause the skill to activate unexpectedly and initiate identity/task queries against the Gate MCP, leading to unnecessary access to account-scoped welfare data and incorrect routing.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The routing table includes generic keywords such as 'welfare', 'rewards', and 'what tasks can I do' without requiring product or platform qualification. In an agent environment, overly generic routing increases the chance of accidental skill invocation and account-data lookups unrelated to the user's actual intent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The scenario uses very generic trigger examples like 'What tasks can I do' and 'Task list', which can cause this welfare skill to activate for broad task-related requests unrelated to welfare. That can misroute users, suppress the correct domain skill, and cause unnecessary identity/tool calls, increasing the chance of confusing or privacy-impacting behavior.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The cross-skill trigger phrase 'How to trade' is too broad and overlaps with ordinary trading help requests that should likely go directly to the spot trading skill. In practice this can cause incorrect routing through the welfare workflow, producing misleading responses or delaying users from reaching the appropriate trading function.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal