ClawHub
Back to skill

Security audit

Kid Activity Registration Command Center

Security checks across malware telemetry and agentic risk

Overview

This prompt-only skill is mostly a family registration organizer, but it includes unsafe advice to store a child’s ID and payment-related details in a reusable note.

Review before installing. The skill is not executable and shows no exfiltration or credential use, but users should avoid following its memo/copy-paste advice for children’s ID numbers or payment details. Enter sensitive identity or payment information directly into trusted organizer portals or a secure password/document manager instead.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The Chinese scenario explicitly tells users to prepare and store a child’s ID number along with guardian contact details for quick reuse during registration, which conflicts with the stated safety boundary against handling full sensitive IDs. Even though this is framed as convenience advice rather than direct collection by the skill, it normalizes insecure storage and repeated exposure of a minor’s sensitive personal data, increasing privacy and identity-risk exposure.

Ssd 3

Medium
Confidence
97% confidence
Finding
The example advises pre-collecting and storing a child’s ID number, guardian phone, emergency contact, and payment-related details in a reusable note for fast copy/paste. That creates a concentrated store of minor and family sensitive data outside official registration systems, making accidental disclosure, device compromise, or unauthorized reuse more likely.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.