ClawHub

Movie & News Inquiry - 电影影讯查询

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward movie-showtime lookup tool that calls JisuAPI with user-provided movie or city parameters and an API key.

Install this only if you are comfortable sending movie names, city or theater identifiers, dates, keywords, and your JisuAPI key to JisuAPI over HTTPS. Avoid using precise personal location or sensitive context in queries unless needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
75% confidence
Finding
The trigger wording is broad ('最近有什么好看的电影?…或类似电影影讯问题时,使用本技能'), which can cause the agent to invoke the skill for loosely related requests without clear user consent boundaries. In a skill that sends query data to a third-party API, overbroad activation increases the chance of unnecessary data disclosure and unintended network calls.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description does not warn users that their query terms, such as movie names, city names, and possibly location-related context, will be transmitted to JisuAPI. Lack of disclosure undermines informed consent and can leak user intent or location preferences to an external service, especially when combined with broad invocation conditions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill sends user-supplied movie query parameters together with the JISU API key to a third-party service. While this is expected for the skill’s functionality, the code provides no user-facing disclosure, consent flow, or data-minimization controls, so users may unknowingly transmit location/city and movie-interest data to an external provider.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal