ClawHub

AI短剧/漫剧创作大师

Security checks across malware telemetry and agentic risk

Overview

This is a creative-writing skill whose main caveat is that it may save generated ViFlow JSON drafts locally.

Install this if you want a short-drama or AI manga writing assistant that can produce ViFlow-compatible JSON. Before using it with sensitive story ideas, be aware that outputs may be saved under assets/output, and check filenames or ask the agent to confirm before overwriting existing drafts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The auto-trigger condition is broad enough to activate on common writing-related requests, which can cause the skill to run when the user did not intend to invoke it. In this skill, that matters because activation can lead to additional file-writing behavior and prescriptive output flow, increasing the chance of unwanted side effects or confusing task hijacking.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The description says the skill should auto-trigger for requests about scripts, outlines, plot design, manga scripts, or ViFlow import, but it does not define boundaries or exclusions. That ambiguity can cause overmatching and unintended invocation, especially in general creative-writing conversations where the user may not want structured exports or this specific workflow.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to write a JSON file into the workspace without warning the user that local files will be created or modified. Unannounced file creation can surprise users, overwrite prior outputs, and turn a simple content-generation request into a state-changing operation on the environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The requirement that all generated scripts must also be exported to JSON makes file creation mandatory, yet there is no notice about overwrite, path safety, or user approval. In practice, this creates avoidable integrity risks in the workspace and may cause unintended replacement of existing project artifacts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal