ClawHub

热点爆款写作助手

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed content-writing workflow skill, with some automation to watch around web searches and cover image generation.

Install only if you are comfortable with a writing assistant that may search the web for trends and competitors and may generate cover-image prompts or images as part of the workflow. For sensitive topics, drafts, or unreleased campaigns, ask it to use a no-network/text-only mode or to confirm before web search and image generation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill declares auto-execution for very common inputs such as a direct topic, which can cause unintended invocation when a user is only casually discussing a subject rather than requesting content generation. In this skill, unintended activation is more concerning because later steps include automatic web collection, analysis, and optional asset generation, creating hidden side effects and unexpected data flow.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Phrases like '追热点' and '生成爆款文章' are underspecified and can be matched broadly without constraints on platform, topic, scope, or whether network access is acceptable. Because this workflow can branch into broad scraping-like collection and multi-output generation, ambiguous triggers increase the chance of the skill acting beyond what the user expected.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow explicitly instructs the skill to use network search tools for real-time collection across multiple external platforms, but it does not state any user-facing notice or consent step before external access occurs. This is risky because user topics or prompts may be transmitted to third-party services, and users may not expect external lookups from what appears to be a writing assistant.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill says cover images should be generated automatically based on inferred intent and even '无需确认直接生成', which introduces side effects without an explicit opt-in. Image generation can consume resources, trigger external model/API calls, and produce outputs the user did not request, making unintended actions and data disclosure more likely in this context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal