ClawHub

目标信息网络搜索及总结

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only web research workflow that is broadly scoped and sensitive in places, but it does not add code, persistence, credential use, or hidden access mechanisms.

Install only if you want the agent to perform deep public web research, including multilingual searches. For competitor, pricing, procurement, or regulatory topics, tell the agent to use only public or authorized sources, disclose translated/local-language queries when relevant, and provide source links, dates, and confidence levels for important claims.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description defines very broad activation conditions such as retrieving 'hidden', 'professional', or 'hard-to-directly-obtain' information across multiple domains, including competitor intelligence and non-public pricing details. This can cause over-invocation for sensitive requests and steer the agent toward collecting confidential or ethically questionable information, increasing the risk of privacy, policy, or competitive-intelligence abuse.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The methodology requires using the target region's native language for searches without any user awareness, consent, or alternative path. This can cause the agent to silently expand data collection into jurisdictions, languages, and sources the user did not intend, increasing privacy, compliance, and safety risks—especially in a skill explicitly designed for hidden, hard-to-obtain, or competitor intelligence gathering.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal