ClawHub
Back to skill

Security audit

闲鱼文案生成器

Security checks across malware telemetry and agentic risk

Overview

This is a low-risk instruction-only skill for generating Chinese e-commerce product copy, with no code execution, credential use, persistence, or data access beyond user-provided product details.

Installers should treat this as a copywriting template skill, not a compliance checker. Avoid entering sensitive customer data, review generated claims for accuracy and marketplace policy compliance, and specify the desired language or platform when the request could be ambiguous.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation trigger list is broad enough to match common, generic shopping or product-description requests, which can cause the skill to activate when the user did not explicitly ask for this specialized workflow. This creates prompt-routing risk: the agent may override user intent, inject marketplace-specific persuasive templates, or steer outputs toward sales copy when a more neutral response was expected.

Natural-Language Policy Violations

Medium
Confidence
75% confidence
Finding
The skill metadata and examples strongly bias output toward Chinese without clearly stating that language should follow user preference. While not a direct security flaw, this can cause unintended behavior in multilingual environments, including misaligned outputs, reduced usability, and accidental disclosure or mishandling if downstream workflows assume a different language.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal