ClawHub

竞品分析自动化

Security checks across malware telemetry and agentic risk

Overview

This skill coherently performs public competitor research with web search/crawling and local report export, with some routing and usage cautions but no evidence of malicious behavior.

Install only if you want an agent to search DuckDuckGo and crawl public competitor websites. Use explicit competitor-analysis requests, avoid private project names or sensitive URLs, choose output filenames carefully, and respect target site policies such as robots.txt and terms of service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
76% confidence
Finding
Several triggers such as '市场分析' and '分析报告' style phrases are broad enough to match routine user requests beyond competitor analysis, increasing the chance of accidental invocation. Unintended activation matters here because the skill can initiate web search/crawl behavior and collect external data when a user did not specifically request that workflow.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The description markets automatic scraping and analysis of public competitor data but does not prominently warn users that external websites may be crawled and their content collected. This weakens informed consent and can cause users to unknowingly trigger network activity, with potential compliance, privacy, or terms-of-service issues depending on target sites.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list contains broad phrases such as “市场分析”, “分析报告”, and generic English terms like “competitor analysis”, which can cause the skill to activate for unrelated business or research requests. This creates prompt-routing risk: users may be routed into web search/crawl behavior without clearly intending to invoke this specific skill, increasing the chance of unnecessary data collection or unexpected tool use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal