ClawHub

商家GEO推手

Security checks across malware telemetry and agentic risk

Overview

This merchant-promotion skill is mostly purpose-aligned, but it collects sensitive business identity materials and can automate live public posting from logged-in accounts with weak scoping and inconsistent confirmation controls.

Install only if you control the business materials and publishing accounts involved. Prefer draft/export mode, review every generated claim and customer case before use, redact unnecessary license or personal details, use dedicated work accounts, and require manual confirmation before any publish click.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document claims OAuth2.0/API-key based authorization, but the operational flow instead instructs the agent to reuse an already logged-in browser session and automate clicks to publish. That bypasses explicit per-platform consent boundaries, exposes the user's authenticated session to automation misuse, and can cause unauthorized posting across multiple accounts if triggered unexpectedly.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The generator outputs a factual claim that the case content was shared with explicit customer authorization, but the program never collects, validates, or records such consent. This creates a deceptive-content and privacy/compliance risk because operators may publish false claims about customer approval, exposing the business to complaints, takedowns, or legal disputes.

Vague Triggers

High
Confidence
95% confidence
Finding
Trigger phrases such as '帮我写篇文章' or '生成推广文案' are broad everyday expressions that can accidentally invoke a skill capable of collecting sensitive documents and automating publication. Because this skill can move from casual conversation into multi-platform posting workflows, overbroad activation materially increases the risk of unintended data collection or account actions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The applicability description is broad and lacks clear boundaries on who the skill is for, when it should not activate, and whether it is limited to business-owned content/accounts. In a skill that requests licenses, photos, and can automate publishing, ambiguous scope makes accidental or inappropriate invocation more dangerous than in a read-only content assistant.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill actively solicits highly sensitive materials including business licenses, storefront images, and responsible-person photos, but does not provide prominent upfront warnings about privacy risks, retention, secondary use, or the consequences of sharing identity-bearing documents. This is especially dangerous because the documents contain regulated identifiers and personally identifiable information that could be misused if stored, exposed, or mishandled.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill describes direct browser automation to create and publish content across several platforms, but does not present a strong risk disclosure or a prominent pre-action confirmation. In context, this is more dangerous because publishing is an external, account-affecting action that can damage reputation, violate platform rules, or post incorrect content at scale if the user does not fully understand the automation.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger section uses very broad phrases like '帮我宣传', '帮我推广', and '写篇文章', which can match many ordinary user requests outside the intended merchant-marketing workflow. This increases the chance of accidental invocation, causing the skill to solicit business documents and contact data from users who did not intend to enter a data-collection flow.

Missing User Warnings

High
Confidence
97% confidence
Finding
The guide instructs collection of sensitive business and personal data, including storefront photos, business licenses, addresses, and phone numbers, but provides no privacy notice, purpose limitation, retention policy, or consent language. In this skill context, the risk is elevated because the workflow explicitly encourages uploading identity-bearing documents and images, which could expose business registration details and personal contact information if mishandled.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document gives step-by-step browser automation instructions that culminate in publishing content to a live third-party platform, but it does not warn that these actions will post publicly and can affect the user's account, reputation, and stored platform data. In this skill's context, the omission is more dangerous because the entire capability is designed to help users mass-produce and distribute promotional content across external services, increasing the chance of unintended publication or account-impacting actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Across multiple platform sections, the guide repeatedly instructs login and publication on third-party services without clear disclosure of account, privacy, reputational, and public-posting consequences. This becomes more dangerous in this skill because it normalizes cross-platform automated publishing at scale, which can amplify accidental posting, misuse of business credentials, policy violations, and broad dissemination of incorrect or noncompliant content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Interactive mode collects business identity and contact data, then writes it to a local JSON file by default without an explicit warning or consent checkpoint. In shared environments or agent workflows, this can cause unintended persistence of sensitive business information and increase the risk of disclosure through local file access, backups, logs, or later exfiltration.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The tool saves generated publication-ready content, including business details and contact information, to local files without a clear prior disclosure. While expected for a content generator, silent persistence can still leak sensitive business information in shared workspaces, CI runners, or multi-user systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal