ClawHub

Zhihu Content Strategist

Security checks across malware telemetry and agentic risk

Overview

This skill is a Zhihu content-planning helper with some under-specified scraping guidance, but the included script runs offline and no hidden or destructive behavior was found.

Install only if you want a Zhihu content strategy and drafting helper. Treat any live scraping as a separate, user-approved action: check Zhihu rules, avoid collecting unnecessary personal/content data, do not store copied answer text, and review drafts for fabricated personal claims or unsupported statistics before publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill references boundary conditions but leaves them effectively undefined, which means there is no clear activation scope, user-consent model, or operational constraint for when scraping, analysis, and draft generation should occur. In an agent setting, missing boundaries can lead to over-broad execution, unintended network access, and unsafe handling of user or third-party data because the skill does not explicitly limit what inputs, domains, or actions are permitted.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill states it will scrape Zhihu hot lists and top answers but does not provide a prominent user-facing disclosure that it may access external sites and collect third-party content. This is dangerous because users may unknowingly trigger network activity, and the agent may ingest copyrighted or personal content from third parties without clear consent, transparency, or review of legal and privacy implications.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal