ClawHub

Hutian Opc Ma Match

Security checks across malware telemetry and agentic risk

Overview

This M&A matching skill is mostly reference material, but it includes concrete shell-company targeting, contact lists, and advice to disguise buy-shell intent in a sensitive securities context.

Install only if you have legitimate M&A authority and legal/compliance supervision. Treat the shell-company contact lists and outreach templates cautiously: do not use deceptive framing, do not imply a different purpose than the real transaction intent, do not trade on or solicit insider information, and handle all contacts and diligence materials under privacy, NDA, and securities-law controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The document does not merely analyze shell-resource candidates; it operationalizes outreach by listing named contacts, phone numbers, email addresses, and suggested engagement tactics for approaching specific listed companies about control-change or shell transactions. In a skill intended for merger matching, this materially lowers the barrier for targeted solicitation, regulatory evasion, or abusive deal sourcing, especially because it couples contact intelligence with prioritization and scripts.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The report explicitly recommends '概念炒作型并购' and frames acquirer selection around market-value promotion rather than genuine strategic fit. In a deal-sourcing skill intended for technology commercialization, this encourages manipulative or misleading transaction behavior and can steer users toward buyers whose primary motive is stock promotion instead of operational integration.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The scoring framework formally includes whether a buyer can '讲故事' and use the target to boost market value, embedding promotional-manipulation criteria into core decision logic. Because this is a systematic ranking feature rather than incidental wording, it can repeatedly produce biased recommendations that favor speculative or potentially deceptive transactions over legitimate commercialization outcomes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document includes specific personal contact details and operational guidance for using them to initiate acquisition-related outreach, but it provides no privacy, consent, retention, or lawful-use boundaries. In a dealmaking skill, this creates a realistic risk of misuse of personal/business contact data, including unsolicited targeting, improper profiling, or non-compliant data handling.

Missing User Warnings

High
Confidence
99% confidence
Finding
The document explicitly instructs users to conceal the true intent of a control-transfer or shell acquisition approach by framing it as 'strategic cooperation' and avoiding direct disclosure. That is dangerous because it operationalizes deceptive pretexting in a sensitive securities/M&A context, increasing risks of misleading counterparties, evading scrutiny, and facilitating non-compliant or manipulative conduct.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document directs users to collect and consolidate sensitive debt, guarantee, and litigation information from third-party data sources without defining permissible scope, handling controls, or compliance boundaries. In practice, this can lead to overcollection, improper processing of sensitive corporate/person-related data, and due-diligence activities that drift into unlawful or unethical information gathering.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file aggregates direct names, phone numbers, and email addresses for specific corporate contacts and presents them as a quick outreach list without any privacy, lawful-use, or handling restrictions. In the context of a merger-matching skill, this materially lowers the barrier to targeted unsolicited contact, social engineering, and misuse of personal/business contact data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The outreach templates explicitly advise approaching targets under neutral investment/IR or business-cooperation framing while omitting compliance guardrails. In this skill's context, that creates a practical playbook for pretextual contact and covert solicitation around sensitive corporate control topics, increasing legal, reputational, and manipulation risks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The markdown exposes detailed contact information and then pairs it with recommended outreach sequencing and talking points, effectively turning public disclosures into a ready-to-use targeting list. Even if the data originates from public filings, bundling it in this context increases misuse risk for spam, harassment, manipulative market approaches, or circumvention of proper compliance channels.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The form requests highly sensitive business, financial, technical, and personnel information, including shareholder structure, core team details, customer concentration, IP, and potentially regulated data, but it does not give the submitting party concrete privacy, minimization, or secure-submission warnings. In an M&A diligence context this is somewhat expected, but without explicit safeguards users may over-disclose trade secrets or personal data before adequate legal controls, secure channels, and need-to-know boundaries are established.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The attachment checklist asks for especially sensitive materials such as audit reports, patent certificates, team resumes, product materials, and customer lists, but it does not prominently warn about redaction, metadata leakage, malware risk in uploaded files, or the commercial sensitivity of these documents. In a deal-sourcing skill, this increases the chance that users disclose unnecessary confidential data or submit unsafe files into downstream systems without adequate protection.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The plan explicitly includes collecting '联系方式(如有)' for Hong Kong shell-resource targets without any stated lawful basis, minimization rule, retention limit, access control, or compliance notice. In an M&A-targeting context, contact details can be personal data or sensitive business contact information, so documenting collection without privacy guardrails creates a real risk of unauthorized processing, misuse, or regulatory non-compliance.

Ssd 2

Medium
Confidence
99% confidence
Finding
The text instructs users to avoid directly mentioning 'buying a shell' and instead use euphemisms such as 'strategic cooperation' or 'industry integration' to probe sell-shell willingness. This is dangerous because it operationalizes concealment of true intent during sensitive corporate outreach, a hallmark of deceptive social-engineering behavior in an M&A setting.

Ssd 4

Medium
Confidence
98% confidence
Finding
The document lays out a staged trust-building sequence: begin with innocuous investor-relations contact, build trust through securities representatives, then seek direct board access. In a skill specifically designed to identify shell targets and assess sell-side receptiveness, this escalation path meaningfully facilitates targeted social engineering and unauthorized influence over sensitive decision-makers.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal