ClawHub

胡田 OPC导师 SPAC资本路径规划

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only SPAC planning skill whose file-generation and sensitive business-data handling are disclosed and aligned with its purpose, but users should control outputs and sharing.

Install only if you want an advisory business-planning skill for SPAC/listing preparation. Provide the minimum SPV, governance, financial, and legal data needed; run it in a dedicated folder; review generated or regenerated files before relying on them; and do not share reports with lawyers, banks, or investors without separate privacy, legal, and business review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill’s harness introduces file creation and regeneration behaviors that go beyond merely describing SPAC planning and can modify the user workspace by producing multiple artifacts. This expands the skill from advisory content into an autonomous file-writing workflow without clear minimization, consent, or path restrictions, creating risk of unexpected workspace changes or overwriting user materials.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The post-check and self-heal sections authorize broad workspace writes and repeated regeneration of nine reference files, which is not narrowly scoped to the core planning purpose. If implemented by an agent, these behaviors could create, replace, or churn files in the project without adequate user awareness or tight destination controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes automatic generation and regeneration of multiple files but does not warn the user that workspace contents may be modified. Lack of an explicit modification warning undermines informed consent and increases the chance that an agent will perform unexpected writes, replacements, or repeated output generation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The handoff section contemplates output to external institutions such as banks or lawyers but provides no privacy or data-sharing warning, despite involving potentially sensitive financial, governance, and ownership information. This creates a risk that an agent or user may package and transmit confidential business data without adequate consent, redaction, or jurisdiction-specific review.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal