ClawHub

配置拉取代码生成

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Android code-template generator that edits project files for its stated purpose, with changes users should review before accepting.

Install only if you want an agent to generate and apply Android configuration integration code. Review the generated diff before committing, especially PluginModule lifecycle hooks, API URLs, push keys, credential references, and logging of configuration values.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly requires writing generated code into workspace files without first requiring clear user confirmation or warning that local project files will be modified. This is dangerous because an automatically triggered skill could alter source files, plugin hooks, or network/service code in the user's repository, causing unintended code changes or persistence of unsafe templates.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The repeated instruction that generated code must be written to the workspace reinforces non-consensual file modification as a mandatory behavior. Repetition increases the chance that an agent will treat file writes as required even when the user only asked for guidance, making the skill more dangerous in contexts where generated plugin hooks and service stubs are inserted into real application code.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal