ClawHub

创客贴智能海报设计

Security checks across malware telemetry and agentic risk

Overview

This is a simple design-helper skill that sends the user's design prompt to Chuangkit and opens the returned preview image, with no evidence of hidden persistence, credential access, or destructive behavior.

Install only if you are comfortable sending design prompts to Chuangkit's external service and having a returned preview URL opened in your browser. Do not include secrets, private personal data, unreleased campaign details, or confidential business information in the prompt.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation text is broad enough to trigger on many generic requests about posters, design, banners, or images, which can cause the skill to run in contexts where the user did not specifically intend to send content to this external service. Because the skill forwards the user's raw request to a third-party API, overbroad invocation increases the chance of unintended data disclosure and inappropriate tool use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs sending the user's original design prompt directly to an external HTTP service but does not warn the user that their input will leave the local system and be processed by a third party. Design prompts can contain sensitive marketing plans, personal event details, product-launch information, or confidential business content, so lack of disclosure undermines informed consent and can lead to accidental data exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal