ClawHub

Thần Cửu (Jaskies)

Security checks across malware telemetry and agentic risk

Overview

This skill is a markdown-only personality/numerology guide that asks for real names and birth dates and says results are saved locally, so it is privacy-sensitive but not deceptive or unsafe.

Install only if you are comfortable giving the agent real names and birth dates and having the resulting analyses kept locally. Avoid entering other people’s details without consent, and delete records under knowledge/ThanCuu/ if you do not want them retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Low
Confidence
92% confidence
Finding
The skill documentation expands behavior from personality analysis into persistent storage of user-derived results in `knowledge/ThanCuu/`. Because the inputs include full names and birth dates, this creates an undocumented data-handling surface that can retain sensitive personal data beyond the immediate session.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill says all analysis results will be stored but gives no privacy warning despite processing names and dates of birth, which are personal data. Users may unknowingly submit identifying information without understanding retention, reuse, or exposure risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly instructs users to source name and birth-date data from government identity documents such as CMND/CCCD, which are sensitive personal identifiers. In a personality-analysis skill, this increases privacy risk because it normalizes collecting official identity data without any minimization, consent, storage, retention, or redaction guidance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The questionnaire explicitly asks for full name and instructs users to provide information according to a national ID card, which encourages collection of highly sensitive personal data without any notice about minimization, purpose, storage, consent, or protection. In a personality-analysis skill, this data is not obviously necessary for the questionnaire itself, so the skill context makes the issue more concerning because it may normalize oversharing of identity data for a non-essential purpose.

Ssd 3

Medium
Confidence
98% confidence
Finding
A natural-language instruction to store all analysis results creates a real data-retention risk because the workflow processes personally identifying inputs and derived profiles. Persistent storage increases the blast radius of accidental disclosure, unauthorized access, or unintended reuse of sensitive user data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal