ClawHub

Opmc Expert Committee

Security checks across malware telemetry and agentic risk

Overview

This is a Chinese-language decision-support skill made of markdown reference material, with no code execution, persistence, credential access, or data exfiltration behavior found.

Install this only if you want a Chinese expert-panel style advisory framework. Review the included case-study reference files because they contain concrete business-scenario details, and avoid relying on the skill as legal, financial, or compliance advice without qualified human review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (16)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger description is extremely broad, covering generic terms like '专家', '多角度分析', and '决策支持', which can cause this skill to activate for many ordinary requests outside its intended scope. Overbroad activation increases prompt-routing risk, may override more appropriate skills, and can unexpectedly steer benign user tasks into this skill’s prescribed behavior.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill metadata and operating instructions are written to function in Chinese without offering a user-language fallback or documenting that the skill is intentionally locale-bound. This can cause misleading outputs, exclusion of non-Chinese users, and incorrect handling when the surrounding system or user expects another language.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger conditions for Skill 1 are very broad and can activate on common user requests about technology, business direction, or future trends without clear boundaries. In a multi-skill agent, this increases the chance of inappropriate routing, causing the model to apply this expert persona when the user did not explicitly request it, which can lead to overconfident strategic guidance and bypass of more suitable domain-specific or safety-constrained skills.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Skill 2 is framed around ecosystem discovery, partner finding, and resource linking, but its trigger conditions are underspecified and may fire on vague requests about a technical field or collaboration needs. That ambiguity is risky because the skill could be invoked in contexts involving sensitive networking, targeting individuals, or sourcing capabilities without sufficient checks, especially since the outputs include key people, acquisition paths, and participation strategies.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger conditions for '政策红利穿透' are broad enough to match many generic requests about industries, policy environment, or risk assessment, which can cause the skill to activate outside its intended scope. In an agentic system, overbroad activation can route ordinary user prompts into a specialized decision-support workflow, leading to inappropriate authority, misleading outputs, or policy-sensitive guidance being applied when not requested.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The second skill's activation criteria are similarly underspecified and lack clear boundaries or negative cases, so broad requests about strategy, downturns, or business continuity may incorrectly trigger this specialized cycle-analysis mode. That increases the risk of accidental overreach, where the agent presents macroeconomic or investment-style recommendations with undue confidence in contexts that need narrower, domain-specific advice.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger conditions for the 3C positioning skill are broad enough to overlap with ordinary marketing or strategy questions, which can cause the agent to invoke this skill when the user did not explicitly request expert-committee style analysis. In this skill set, over-triggering can steer conversations into persuasive positioning guidance unnecessarily, increasing the chance of unintended influence, irrelevant outputs, or bypass of more appropriate narrower skills.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The demand-generation skill is triggered by vague conditions like wanting stronger demand or higher conversion, which are common across many benign business queries. Because this specific skill centers on manipulating perceived gaps, urgency, and switching barriers, accidental activation is more sensitive than ordinary routing mistakes and may push the agent toward unnecessarily coercive or overly persuasive advice.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger conditions for '核心冲突提炼' are broad enough that the skill may be invoked for many loosely related branding or messaging requests without clear boundaries, exclusions, or authorization checks. In this file's context, the skill explicitly promotes controversy, emotional manipulation, and attention-capture tactics, which increases the chance that unintended invocation leads to manipulative or ethically risky outputs.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The social marketing skill uses vague activation language such as designing viral content or improving spread, which can cause the agent to activate in situations where the user did not clearly request aggressive growth tactics. Because the surrounding methodology emphasizes '裂变', emotional provocation, and controversy-driven dissemination, accidental or overbroad invocation could amplify manipulative campaigns, spam-like behavior, or platform-policy violations.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger conditions for Skill 1 are broad and lack exclusion criteria, so the agent may invoke this skill for loosely related requests about AI architecture, deployment, or technical debt. In a committee-style advisory skill, over-triggering can cause incorrect routing, irrelevant expert framing, or unintended processing of sensitive business/technical context, which is a genuine security and reliability risk even without overtly malicious content.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The second skill's activation conditions are similarly vague, covering generic concerns like maintenance cost, risk assessment, or refactoring plans without clear boundaries. This increases the chance of accidental invocation on normal discussion of AI systems, potentially leading to unnecessary analysis of internal architecture, compliance-sensitive details, or misapplication of the skill's recommendations.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Skill 1’s trigger conditions are broad enough to activate on many normal product, design, or technical-help requests, which can cause the agent to invoke this expert persona unexpectedly. That creates scope-control risk: the skill may override more appropriate domain-specific handling, produce unsolicited strategic guidance, or expand its influence across unrelated prompts.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Skill 2 uses ambiguous activation language like optimizing user experience or balancing technology and cost, which are common across many ordinary business and product conversations. In a multi-skill agent, this can lead to accidental routing, over-application of this framework, and reduced reliability or safety if the wrong skill shapes the response.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Skill 1 can be invoked by very broad prompts such as general legal-risk, compliance, or dispute concerns, without clear scoping or authorization checks. In an agent environment, this increases the chance the skill is selected for loosely related requests and may produce quasi-legal guidance or risk-analysis workflows in contexts where narrower routing, disclaimers, or human review are needed.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Skill 2 is triggered by common enterprise needs like training, compliance culture, and system building, which overlap with many ordinary business-assistance requests. Without tighter boundaries, the agent may over-invoke this skill and generate authoritative-seeming compliance programs or governance recommendations outside the intended scope, potentially displacing safer general-purpose assistance or required expert review.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal