ClawHub

Mihomo Subscription Route Publisher

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent and instruction-only, but it can publish live routing changes and restart Mihomo without a built-in confirmation gate.

Install this only if you control the referenced Mihomo repository, rules.xiannai.me deployment, and related Cloudflare/GitHub credentials. Require the agent to show exact file changes and get explicit approval before deploy, sync, restart, commit, or push actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The FAQ explicitly states that the skill may sync `/etc/mihomo/config.yaml` and restart `mihomo`, which are live system changes with service-impacting consequences. In an agent skill driven by natural-language requests, documenting these actions without an explicit warning, confirmation gate, or safety boundary increases the risk of unintended configuration changes, traffic disruption, or loss of connectivity.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly frames the skill as making repository changes, redeploying a worker, and updating a live published subscription, but it does not warn that using the skill can modify deployed production-like infrastructure. In an agentic environment, that omission can cause users or higher-level orchestrators to invoke the skill without informed consent or appropriate safeguards, increasing the chance of unintended operational changes.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill is activated by very broad natural-language cues around routing changes, which can cause it to run in response to ordinary user requests without clear confirmation that live subscription state should be modified. In this skill's context, activation leads to editing canonical config, deploying a worker, and syncing public artifacts, so ambiguous triggering materially increases the chance of unintended production changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow explicitly instructs the agent to deploy the worker and trigger `/sync`, which modifies live published configuration, but it does not require an explicit warning or confirmation from the user before taking those production actions. Because this skill treats live validation and publication as mandatory, a misunderstood request or prompt injection routed through the skill could directly cause unauthorized or accidental production changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal