ClawHub

Popeye Translation

Security checks across malware telemetry and agentic risk

Overview

This is a simple translation prompt skill with broad trigger words but no code, credential access, file access, persistence, or hidden actions.

Reasonable to install for translation, polishing, and localization. Be aware it may activate on common translation-related wording, and avoid giving it confidential text unless you are comfortable with the agent/model processing that text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases are very generic Chinese words like “翻译”, “润色”, and “本地化”, which are likely to appear in ordinary user requests and can cause unintended skill activation. This creates routing ambiguity and may hijack normal conversation flow, especially in systems that auto-invoke skills based on keyword matching rather than explicit user selection.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrase "帮我做本地化" is broad enough that it could match ordinary user conversation rather than an explicit request to invoke this skill. In agent routing systems, overly generic triggers can cause unintended activation, leading to incorrect skill selection, prompt hijacking opportunities through accidental invocation, or reduced reliability of other skills.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase "润色" is extremely generic and likely to collide with ordinary user requests that are not intended to invoke this specific skill. In an agent environment, broad trigger matching can cause unintended activation, leading the model to apply this prompt template in the wrong context and potentially override more appropriate routing or user intent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase "帮我翻译" is a very common natural-language request and is broad enough to match routine conversation, which can cause the skill to activate when the user did not intend to invoke this specific skill. In an agent environment with multiple skills, this increases the risk of misrouting user input, unexpected prompt behavior, and accidental processing under the wrong instruction set.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal