ClawHub

Hutian Opc Ontology Casting

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only business assessment and transformation framework with no executable payload or hidden data access.

Safe to install as a reference skill. Before using it to build real enterprise automations, define approval gates for automatic triggers, minimize and protect customer data, set retention limits, and reconcile the MIT license metadata with the document’s internal-use language.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest advertises a narrow 5-dimension assessment skill, but the body contains a substantially broader methodology for enterprise transformation, platform onboarding, commercialization, pricing, and deployment. This scope mismatch can mislead users and downstream agents about what the skill will do, causing unintended execution of business guidance beyond the declared purpose and reducing the effectiveness of policy, review, and consent boundaries.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The interface spec allows `automatic|event` triggers with an unconstrained `conditions` array, but does not define required predicates, approval gates, or exclusion cases. In an agent/skill marketplace context, this can cause unintended execution on overly broad events, leading to unauthorized actions, excess calls, or business workflow disruption if a skill is wired to sensitive enterprise data or actions.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The document instructs operators to monitor skill call data and collect customer feedback without specifying data minimization, retention, access control, consent, or audit requirements. In an enterprise AI deployment setting, this omission can lead to privacy leakage, excessive telemetry collection, or noncompliant handling of customer/business data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal