ClawHub

AI版MBTI测试

Security checks across malware telemetry and agentic risk

Overview

This is a coherent entertainment quiz, with the main privacy consideration being that it remembers quiz-derived MBTI history for retests and status views.

Install only if you are comfortable with a personality quiz storing quiz-derived MBTI results and dates for later retests/status views. Avoid entering highly private details, and treat the output as entertainment rather than psychological advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill expands a simple one-shot entertainment quiz into cross-session history, profile storage, and personality-drift tracking. That creates additional collection and retention of behavioral/psychological inference data beyond the stated purpose, increasing privacy risk and user surprise if the data is later exposed or reused.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The instructions direct creation of a persistent user archive and historical personality tracking that are not necessary to deliver the quiz result. Storing dated MBTI outcomes and inferred drift over time can reveal sensitive behavioral patterns and creates avoidable privacy and profiling risks.

Vague Triggers

Low
Confidence
82% confidence
Finding
The activation phrase '直接开始' is very broad and overlaps with ordinary user conversation, which can cause accidental invocation of the skill outside intended contexts. While this is not directly dangerous in an entertainment quiz, unintended activation can still confuse users, interrupt other tasks, or trigger undesired state changes like starting or resetting a test.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises history viewing ('/状态') and personality drift tracking over time, which implies retention and later exposure of personality-test results. Saying that no sensitive personal information is collected is misleading because behavioral and personality profiling data can itself be sensitive, especially when stored longitudinally and exposed back to the user or potentially others on shared devices/accounts.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The quiz prompts users to discuss emotions, coping behavior, and relationship patterns, which can elicit sensitive personal data and psychological inferences. Without an upfront warning or consent cue, users may disclose more than they expect in what appears to be a casual entertainment interaction.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill specifies that prior results, dates, and drift history will be stored and later displayed, but it does not warn users that this longitudinal profile will persist across sessions. Silent retention of psychological-profile history materially increases privacy risk because the data is both sensitive and cumulative.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill instructs storing and later revealing historical test results and inferred personality drift across sessions. Any persistent record of user psychological inferences expands the attack surface for unauthorized disclosure, misuse, or overprofiling, especially when tied to timestamps and repeated assessments.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal