ClawHub

Popeye Analysis

Security checks across malware telemetry and agentic risk

Overview

This is a simple Chinese prompt-template skill for analysis, decisions, and problem diagnosis, with broad trigger phrases but no code, permissions, persistence, or hidden data access.

Installers should expect a Chinese-language analysis helper. Be careful with sensitive business data, personal details, or screenshots, and do not rely on it as a substitute for professional medical, legal, financial, or safety-critical advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase "诊断问题" is ambiguous and lacks domain boundaries, so it may capture a wide range of requests including technical, medical, legal, or personal problem diagnosis. This increases the risk of unintended activation and unsafe handling of high-stakes topics without proper scoping or safeguards.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase "诊断问题" is ambiguous and lacks domain boundaries, so it may capture a wide range of requests including technical, medical, legal, or personal problem diagnosis. This increases the risk of unintended activation and unsafe handling of high-stakes topics without proper scoping or safeguards.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases "分析数据" and especially the broad analysis-oriented invocation pattern can easily overlap with ordinary user requests, causing the skill to activate unintentionally. Over-broad triggering can route unrelated prompts into this skill, leading to prompt hijacking of user intent, unexpected behavior, or bypass of more appropriate skills/policies.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are generic natural-language requests ('帮我决策' / '帮我做决定') that can easily appear in ordinary conversation, so the skill may activate when the user did not intend to invoke this specific capability. This can cause prompt-routing errors, unexpected disclosure of user context to the skill, or undesired behavioral takeover from a more appropriate agent path.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase "帮我分析问题" is very broad and can match many ordinary user requests outside the intended diagnosis workflow. Overly broad routing can cause this skill to activate unexpectedly, leading to prompt hijacking of general conversations, incorrect task selection, or bypass of safer/more specialized skills.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal