ClawHub

古典黄历

Security checks across malware telemetry and agentic risk

Overview

This is a local Chinese almanac/date-selection helper with no hidden system access, though its accuracy claims are stronger than the implementation supports.

Install only if you want a traditional Chinese almanac/date-selection tool. Treat its recommendations as cultural reference or entertainment, not as authoritative advice for marriage, travel, contracts, investments, or business decisions; also expect possible command-name and calculation-accuracy issues until the publisher clarifies the simplified rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The script presents itself as a classical date-selection system based on authoritative traditional rules, yet the code explicitly labels the evil-sha logic as a simplified implementation. In a decision-support skill, this mismatch can mislead users into trusting outputs as fully authentic or comprehensive, which is a real integrity issue even though it is not a code-execution flaw.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The comment states Tian De is determined by day stem, but the lookup table contains earthly branches for some months, creating a logic/documentation inconsistency that can silently produce incorrect auspicious-day results. Because this skill is explicitly marketed as a precise traditional system, such a mismatch undermines result correctness and user trust.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list includes the broad everyday term '黄历', which is commonly used in general conversation and overlaps with many adjacent topics. This can cause unintended activation of the skill in contexts where the user did not specifically request this classical date-selection workflow, leading to skill hijacking or irrelevant responses.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal