ClawHub

gate-exchange-activitycenter

Security checks across malware telemetry and agentic risk

Overview

This Gate activity skill is read-only and mostly purpose-aligned, but its generic triggers could unexpectedly use a configured exchange API session for activity lookups.

Install only if you want your agent to use a Gate MCP session for activity-center lookups. Use a dedicated Gate API key limited to Activity:Read, and treat short prompts like "my activities" or "what activities" as potentially invoking Gate campaign data unless your agent adds clarification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase "what activities" is overly generic and can match ordinary conversation unrelated to Gate campaigns. This broad activation surface can cause the skill to run in the wrong context, potentially exposing account-linked activity information or causing unintended tool calls.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase "what activities" is overly generic and can match ordinary conversation unrelated to Gate campaigns. This broad activation surface can cause the skill to run in the wrong context, potentially exposing account-linked activity information or causing unintended tool calls.

Natural-Language Policy Violations

High
Confidence
89% confidence
Finding
Mandating translation of non-English input to English without user choice can alter search semantics and produce incorrect matches, especially for proper nouns or campaign names. This is dangerous because it can misroute searches, hide intended results, and degrade reliability for multilingual users in a financial platform context.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The examples in this section use very broad, generic phrases like asking for available or recommended activities, which can be triggered during ordinary conversation even when the user did not intend to invoke this specific skill. In a financial exchange context, unintended invocation can misroute the conversation, cause irrelevant backend queries, and surface promotional trading content when the user may have been asking more generally.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Phrases like 'My activities' and 'What activities have I joined' are ambiguous and can overlap with common support or account-history requests. In this skill, such ambiguity may cause the agent to invoke an account-linked activity lookup, exposing enrolled-campaign information or causing confusing behavior when the user meant something broader than exchange promotions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal