ClawHub

Mental Models Cn V2.1.0 Backup

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Chinese mental-model skill, with some broad triggers and investment guidance users should treat cautiously.

Install as a reference/documentation skill. Prefer the normal ClawHub install path, verify the source before manual clone/copy installation, do not run any absent or newly downloaded recommendation script without inspecting it, and treat the investment material as educational decision support rather than professional financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The changelog documents newly added trigger words such as investment- and psychology-related phrases that are broad enough to match ordinary user conversation outside an explicit skill invocation. In an agent-skill context, overly broad triggers can cause unintended activation, which may inject unsolicited advice or route user requests into this skill when the user did not intend to use it.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Triggers like “推荐模型”, “行业分析”, “投资决策”, and “竞争策略” are generic task phrases that many unrelated conversations may contain. Because this skill concerns broad advisory domains, accidental activation is more plausible and could lead to misrouting, confusing responses, or unrequested analytical framing in sensitive business or investment contexts.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list contains broad, common phrases such as '如何分析' and '如何决策', which can cause unintended activation in ordinary conversations unrelated to this skill. In an agent environment, overly broad routing can surface the skill unexpectedly, increasing the chance of inappropriate context capture, workflow interference, or accidental execution of associated logic/tools.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The examples normalize invocation from very broad natural-language requests, which encourages the system to treat generic analytical questions as skill activations without clear user intent. This increases the risk of misrouting, unexpected behavior, and over-collection or processing of user context in conversations where the user did not explicitly request this skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file provides concrete investment decision guidance, including explicit thresholds and '买入/观察/等待' recommendations, without any warning that the material is educational only and not personalized financial advice. In the context of an agent skill that users may treat as actionable guidance, this increases the risk of users making real financial decisions without understanding risk, suitability, or uncertainty.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal