ClawHub
Back to skill

Security audit

Popeye Creative

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only creative helper, with only a minor risk that broad Chinese trigger phrases could activate it unintentionally.

Safe to install based on the inspected artifacts. Be aware it may respond to general brainstorming or naming requests because its triggers are broad; independently check generated names, slogans, examples, trademarks, and legal suitability before using them commercially.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases `头脑风暴` and especially `帮我脑暴` are generic conversational expressions that can easily appear in normal user requests, making unintended activation likely. This can cause prompt routing collisions, where the skill intercepts broad brainstorming queries even when the user did not explicitly intend to invoke this specific skill, reducing control over behavior and potentially bypassing more appropriate handling.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger description lacks clear scope and activation constraints, so the orchestrator has no guidance on when this skill should or should not be selected. In practice, ambiguous routing increases the chance of accidental invocation and makes behavior less predictable, especially when other skills may handle adjacent creative or general assistant tasks.

Vague Triggers

Low
Confidence
78% confidence
Finding
The trigger description lacks clear scope and activation constraints, so the orchestrator has no guidance on when this skill should or should not be selected. In practice, ambiguous routing increases the chance of accidental invocation and makes behavior less predictable, especially when other skills may handle adjacent creative or general assistant tasks.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases "起名字" and especially "帮我起名" are generic everyday requests that may appear in normal conversation outside the intended structured naming workflow. This can cause unintended invocation of the skill, leading to prompt hijacking of user intent, context switching, or accidental routing to this skill when the user did not explicitly want it.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal