ClawHub

Life Fork Simulation Stack

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent life-reflection and report-generation tool, with sensitive intake questions that are relevant to its purpose but should be answered selectively.

Install only if you want a Chinese-first life-choice reflection tool. Treat finance, health, family, relationship, and location details as optional: generalize or omit anything identifying or sensitive, and do not use the output as medical, legal, investment, immigration, or major life-decision advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrases for the decision-help mode are broad everyday requests such as whether to change jobs, relocate, or start a business. Over-broad activation can cause the skill to intercept unrelated conversations and steer users into a strong-report workflow that collects sensitive personal context and produces high-stakes guidance without clear user intent to invoke this specific skill.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The deep-simulation mode can be triggered by very general requests like 'help me deeply simulate' or 'run a multi-agent version,' without strong constraints or confirmation. In context, this mode requests extensive personal, financial, family, and health information, so accidental activation increases privacy risk and may escalate a normal chat into intensive profiling and analysis the user did not clearly authorize.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest enables implicit invocation with no documented trigger constraints, so the skill may activate during ordinary conversation without clear user intent. Because this skill handles broad counterfactual life-reflection prompts, unintended activation could cause unexpected context capture, steering, or report generation when the user did not explicitly request this tool.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The default prompt uses very broad, everyday language about reflecting on past life choices, which overlaps with common conversational topics. In combination with implicit invocation, this increases the chance the agent routes normal user dialogue into the skill unexpectedly, causing unintended behavioral shaping and unsolicited structured outputs.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The file is predominantly written in Chinese and defines output formats and operating guidance only in Chinese, without offering a language-selection mechanism or an explicit opt-in. In a multi-user or multilingual agent setting, this can cause the agent to ignore the user's preferred language, reducing transparency, usability, and potentially causing misunderstanding of sensitive advice.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The file hard-codes a Chinese-only delivery style and repeatedly mandates fixed Chinese phrasing and titles, without indicating any user language preference check or opt-in. This can override a user's requested language, reduce accessibility for non-Chinese readers, and create misleading behavior if the surrounding agent is expected to respect user locale or enterprise language policies.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The intake template solicits extensive sensitive personal data including finances, family responsibilities, relationship status, health, and location history without any privacy notice, minimization guidance, or warning to avoid unnecessary identifying details. In an AI skill context, this creates a real privacy risk because users may overshare highly sensitive data that is not strictly necessary for the simulation and may be retained, logged, or exposed downstream to sub-agents or platform infrastructure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal