ClawHub

胡田 OPC导师 AI资产知识产权保护

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only IP guidance skill, but it gives high-impact legal filing advice with under-qualified statements that could lead users to submit inaccurate declarations or sensitive personal/business data without enough safeguards.

Install only if you treat it as a rough checklist, not legal advice. Before using it for filings, verify current requirements with the relevant authority or qualified IP counsel, never sign declarations that are not true for your materials, avoid padding or fabricating code, and redact or tightly control any ID documents, source code, business records, or data samples before uploading them anywhere.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The handbook explicitly instructs applicants to sign a declaration that the submitted materials '未使用AI自动生成', despite the skill being about protecting AI-related成果. If followed for AI-assisted or AI-generated materials, this encourages false statements in a legal filing, creating fraud, perjury, or application-invalidity risk and exposing both applicants and operators to serious legal consequences.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger condition is overly broad and only gives a single vague example phrase without defining boundaries, exclusions, or required context. In an agent platform, underspecified activation can cause the skill to trigger on loosely related user inputs, leading to unintended legal-style guidance in the wrong context and increasing the risk of inappropriate, overconfident, or irrelevant assistance.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document directs users to collect and upload highly sensitive personal and business materials, including ID cards,实名截图, and application documents, but provides no handling, storage, minimization, or redaction guidance. In a skill context, this can normalize oversharing and increase the chance of identity theft, unauthorized retention, or accidental disclosure of regulated personal data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The handbook tells users to prepare and submit data samples for data-IP registration but lacks concrete safeguards on consent, lawful basis, de-identification standards, and scope control. This is dangerous because users may disclose personal, confidential, or third-party data under the mistaken belief that simple '脱敏' is sufficient, leading to privacy, contractual, or regulatory violations.

Ssd 4

Medium
Confidence
93% confidence
Finding
The guidance suggests meeting filing thresholds by '补充注释、空行、辅助类代码', which can be read as padding application materials rather than accurately documenting the actual software. In an IP application context, this can steer users toward deceptive or low-integrity submissions, undermining the validity of filings and creating legal and compliance exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal