ClawHub

Product Hunt Cn

Security checks across malware telemetry and agentic risk

Overview

This skill is low-risk, but it appears to return static sample Product Hunt data while advertising live trending monitoring.

Install only if you are comfortable treating the results as sample/demo data. Do not rely on this skill for current Product Hunt trends unless the maintainer implements and documents real data fetching; the broad trigger terms may also make it activate more often than expected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The function advertises Product Hunt top-product fetching but returns a fixed hardcoded list, creating a deceptive data-integrity issue. In a monitoring skill, users may rely on this output for decision-making under the false belief that it reflects current external data, which can mislead automation, analysis, or reporting.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The overall skill description promises daily trending Product Hunt monitoring, but the script only emits static mock entries. This is a genuine trust and integrity problem because downstream users or agents may treat fabricated output as live market intelligence, causing incorrect decisions or false reports.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad and include short, common terms like "PH" and generic concepts like "新产品" and "launch", which can cause the skill to activate in unrelated conversations. This can lead to unintended tool use, context hijacking, or surprising behavior that degrades safety and reliability, especially in multi-skill environments.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal