ClawHub

Writing Assistant Pro

Security checks across malware telemetry and agentic risk

Overview

This is a Chinese-language writing assistant with disclosed local memory behavior and simple verification scripts, with no evidence of hidden access, credential use, exfiltration, or destructive actions.

Install this if you want a Chinese-language writing assistant and are comfortable with local memory/log files retaining writing preferences or draft-related context. Use explicit prompts if you have many skills installed, and review or clear the memory/log files before working with sensitive material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (16)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase for the write agent is a single highly common verb ("写"), which makes accidental invocation likely during normal conversation. In an agent-routing system, overly broad triggers can cause the wrong capability to activate, leading to unintended content generation, prompt-context mixing, or execution of workflow logic the user did not explicitly request.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The rewrite trigger uses the generic term "改", which is ambiguous in Chinese and commonly appears in ordinary editing requests or natural speech. This increases the risk of unintended routing to the rewrite agent, especially if trigger detection is based on substring or loose keyword matching rather than explicit commands.

Vague Triggers

Low
Confidence
90% confidence
Finding
The headline agent trigger is the generic word "标题", which may appear in ordinary requests, quoted text, or document content without meaning to invoke a separate agent. While the impact is lower than broader workflow triggers, it still creates avoidable ambiguity and can misroute requests or produce unintended outputs.

Vague Triggers

Low
Confidence
89% confidence
Finding
The ideation trigger "选题" is a common domain term rather than a uniquely identifiable command, so it may activate during normal discussion of topics or planning. In a multi-agent writing assistant, this can cause unintended delegation and reduce user control over which workflow is invoked.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The activation phrases are extremely generic conversational text such as '写一篇...', '改一下...', '标题...', and '选题...', which are likely to appear in normal user interaction and can trigger the skill unintentionally. Overly broad routing can cause the agent to enter a specialized workflow without clear user consent, increasing the chance of unintended actions, prompt-context confusion, or interception of queries meant for another skill.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill defines activation on extremely common words like “写” and “改” without any scoping, prefix, or confirmation step. In a conversational agent, this can cause unintended mode switches from normal user text, increasing the risk of prompt-state manipulation, accidental execution of higher-privilege behaviors, or attacker-crafted inputs that reliably steer the agent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are extremely generic single-word Chinese terms like “写”, “改”, “标题”, and “选题”, which are likely to appear in normal conversation. In an agent skill system, such broad triggers can cause unintended skill activation, context hijacking, or routing to the wrong capability, especially when users are discussing writing rather than explicitly invoking the skill.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation examples use very broad natural-language phrases such as '改一下这段' and '给我5个选题', which can easily appear in ordinary conversation. In an agent system that maps free-form text to tool or sub-agent invocation, this increases the chance of unintended routing or activation, especially if no explicit command prefix, namespace, or confirmation step is required.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The write agent is triggered by the single common word “写”, which is broad enough to match ordinary user phrasing rather than an explicit routing command. This can cause unintended agent activation and misrouting of requests, especially in a multi-agent system where precise dispatch boundaries matter.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The rewrite agent uses the trigger “改”, which is highly ambiguous in natural conversation and can refer to many unrelated actions. In practice this raises the risk of accidental tool selection, causing unintended content modification or incorrect workflow execution.

Vague Triggers

Low
Confidence
83% confidence
Finding
The headline agent activation condition states it should run whenever titles or A/B testing are needed, but does not define strict boundaries for activation. This is less severe than the single-character triggers, yet it can still lead to over-eager dispatch in loosely phrased user requests.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The ideation agent trigger includes broad wording like requests for creativity, which can overlap with many normal writing tasks. This creates a realistic risk of unintended activation, particularly in a coordinator skill that routes across several adjacent content functions.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The file is written entirely in Chinese and provides no mechanism to detect or honor the user's preferred language. In an agent skill, forcing a single language can cause user misunderstanding, reduce informed consent, and lead to unsafe or incorrect task execution when users cannot reliably understand instructions or outputs.

Vague Triggers

High
Confidence
93% confidence
Finding
The role declares itself 'always active' as the assistant's core identity, which creates an unconditional override layer that can apply to every interaction regardless of user intent or higher-priority task context. In an agent skill system, broad always-on behavioral instructions can cause scope bleed, interfere with other roles or safety behaviors, and make prompt-injection resistance weaker because this persona is persistently in force.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Repeating the unconditional activation state reinforces that the persona should remain permanently enabled, increasing the chance that its terse, directive writing style leaks into unrelated tasks. While this duplicate statement is not independently severe, it hardens the same scoping flaw and can make orchestration behavior less predictable across mixed-skill environments.

Ssd 3

Medium
Confidence
97% confidence
Finding
The instruction to extract writing-style preferences from every conversation and persist them into MEMORY.md and a knowledge layer creates ongoing retention of user-derived data without any visible consent, minimization, or retention controls. This can expose sensitive behavioral data across sessions, increase privacy risk, and allow unintended reuse of prior-user information in future interactions.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal