ClawHub

News Trust Check

Security checks across malware telemetry and agentic risk

Overview

This is a small claim-checking skill with a simple local risk-scoring helper and no hidden access, persistence, credential use, or destructive behavior.

Use this as a fact-checking aid, not a guarantee. For financial, legal, medical, security, or urgent money-transfer claims, verify directly with official sources and treat the Python helper as a quick keyword risk screen only.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill metadata claims verification using high-trust source pools, but the implementation only performs local keyword matching and scoring. In a rumor/scam verification context, this can mislead users into believing claims were actually checked against authoritative sources, causing false reassurance or incorrect fraud assessments.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The description uses broad triggers like judging true/false rumors, scams, credibility, and risk, which can cause the skill to activate for many ordinary conversations. Over-broad routing is dangerous because it can unnecessarily steer users into a specialized workflow, increase unintended data exposure to external source checks, or override a more appropriate domain-specific skill.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
Forcing Chinese-only verdict labels and output structure without a language choice can cause users to misunderstand the risk classification, especially in high-stakes scam or rumor verification contexts. Security-relevant guidance is less effective when recipients cannot clearly interpret the verdict, evidence, or recommended action, which can lead to unsafe decisions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal