ClawHub

头号红娘新媒体

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed branded content-writing workflow, not malware, but it will generate promotional advertorial copy for “头号红娘.”

Install this only if you want a branded advertorial workflow. Review generated articles for factual accuracy, verify cited data sources, and label promotional or sponsored content appropriately before publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger conditions are broad enough to match generic requests for relationship or public-account content, which can cause this skill to activate when the user did not specifically request this branded workflow. Because the skill is designed to steer output toward '头号红娘' exposure and conversion, unintended activation can inject promotional behavior into otherwise neutral writing tasks.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The example invocation phrases are generic content requests like '给我一篇婚恋文章', which materially increase the chance that the skill will be selected for ordinary editorial tasks. In this skill's context, that is risky because activation leads to a predefined marketing funnel and automatic brand insertion, creating undisclosed advertising and loss of user intent fidelity.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill mandates an automatic promotional insertion for '头号红娘' but does not clearly disclose this behavior up front to the user. That creates a deceptive-content risk: users asking for an article may receive covert brand promotion embedded as editorial content, which can mislead readers and violate transparency or advertising disclosure expectations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal