ClawHub

Tree hole, wanna listen your story and life voice. hope you could give me your story.

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for anonymous story submission, but it may send chat history or freeform personal content to a Feishu form without strong enough consent and disclosure.

Review this skill carefully before installing. Only use it when you intentionally want content sent to the Feishu form, and avoid allowing it to use prior chat history unless the exact text to be submitted is shown and you explicitly confirm it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger conditions are broad enough that the skill could activate for loosely related phrases like 'share anonymously' and then guide data submission to an external service. In this context, overbroad routing is risky because the skill handles sensitive freeform stories and may also submit recent chat history, increasing the chance of unintended disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly supports fetching chat conversation history and submitting it to an external Feishu form, but it does not require a clear user-facing disclosure that data will leave the agent environment and may be retained by a third party. This creates a meaningful exfiltration and privacy risk, especially because chat logs can contain sensitive personal, confidential, or regulated information even if some PII is manually anonymized.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal