ClawHub

Instant Report

Security checks across malware telemetry and agentic risk

Overview

This is a report-generation skill with disclosed subagent research and document output, though users should note it appears to produce Chinese reports despite claiming automatic Chinese/English matching.

Install this only if you want a skill that performs web research, delegates to subagents, and creates Markdown, DOCX, and PDF report files. Avoid using it for confidential topics unless you are comfortable with the query and report content being used in research and document-conversion workflows, and expect Chinese output unless the skill is updated to honor English requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger description is extremely broad and can activate on many generic research or analysis requests, causing the skill to run in contexts the user may not expect. Because this skill spawns subagents and produces files, over-triggering increases the chance of unintended delegation, excess data exposure to subagents, and surprising side effects.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill delivers DOCX and PDF outputs, but the user-facing description does not clearly disclose that file generation and conversion will occur. Hidden file-producing behavior can surprise users, trigger unintended downstream tool use, and increase risk when sensitive user content is packaged into persistent artifacts.

Natural-Language Policy Violations

High
Confidence
95% confidence
Finding
The researcher subagent is forced to write in Chinese regardless of user preference, despite the metadata promising automatic Chinese or English output. This can violate user expectations and, more importantly, corrupt task fidelity by translating source material or prompts in ways that lose nuance, causing incorrect research results and unsafe downstream decisions.

Natural-Language Policy Violations

High
Confidence
95% confidence
Finding
The report-writing stage mandates Chinese output for the main report and chart annotations without user opt-in, creating a direct mismatch with the advertised bilingual behavior. In a reporting workflow, forced language transformation can misrepresent technical, legal, or financial content and make the final deliverables unusable for the intended audience.

Natural-Language Policy Violations

High
Confidence
94% confidence
Finding
Forcing the fact-checker to output in Chinese without user opt-in introduces the same language mismatch at the verification stage, where precision is especially important. Translation or language coercion during fact-checking can obscure discrepancies, reduce reviewability, and weaken the trustworthiness of corrections.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill description promises automatic language matching for Chinese or English, but the workflow hardcodes Chinese in multiple phases. This inconsistency is a real safety and reliability issue because users and calling systems may trust the metadata, while the implementation behaves differently and can produce inaccessible or misleading outputs.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal