ClawHub

Chinese Almanac (古典择日)

Security checks across malware telemetry and agentic risk

Overview

This skill is a small Chinese almanac date-selection tool with no evident data access, persistence, or hidden execution behavior.

Install only if you want traditional Chinese almanac-style date selection. Be aware that some trigger terms are overly broad or mistranslated, so the skill may activate for ordinary scheduling or Japanese timepiece-related requests until those triggers are narrowed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrase "pick a good day" is broad and can match ordinary scheduling or recommendation requests that are unrelated to a Chinese almanac. This can cause unintended skill activation, leading the agent to inject irrelevant metaphysical guidance into normal conversations and reducing user control over tool selection.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The invocation text "ask to pick a good day for events" lacks constraints and can match many benign requests about planning, calendars, or availability. In a routing system, such ambiguity increases the chance of this skill hijacking unrelated user intents and producing off-target responses.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
Including the Japanese term "時計" is risky because it commonly means "clock" or "watch," not almanac or auspicious-date selection. This can spuriously activate the skill on unrelated Japanese requests about timepieces or time, creating significant trigger confusion across locales.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
The explicit Japanese trigger list repeats the generic term "時計," which is strongly associated with clocks and watches rather than date selection. Because trigger lists are used for routing, this materially increases accidental invocation on unrelated Japanese-language conversations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal