ClawHub

Param Eval

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a procurement/product-parameter evaluation helper with some broad activation phrases, but no artifact-backed evidence of hidden access, persistence, destructive behavior, or data exfiltration.

This looks safe to install for tender, procurement, and product-parameter evaluation work. Be aware that its trigger wording is broad, so if it activates during a general technical or product-comparison request, ask the agent to confirm whether the task is actually procurement-related before using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase "技术评估" is broad enough to match many generic technical-evaluation requests that are not actually about bidding or parameter-response workflows. This can cause the skill to activate out of scope and steer the agent into using procurement-specific instructions or product materials in unrelated contexts, increasing the risk of inappropriate behavior or incorrect outputs.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The phrase "产品对标" is ambiguous and may match broad competitor-comparison or market-analysis requests outside the intended tender-parameter evaluation use case. If triggered incorrectly, the skill may apply rigid response templates and product-directory assumptions to unrelated requests, causing context confusion and unsafe overreach.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation logic relies on keyword presence alone and does not define boundaries, disambiguation rules, or exclusions for near-match requests. In agent systems, this kind of underspecified routing can lead to accidental invocation on unrelated prompts, which may leak internal workflow assumptions, mis-handle user intent, or apply the wrong specialized behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal