ClawHub
Back to skill

Security audit

Qa Mobile Testing

Security checks across malware telemetry and agentic risk

Overview

This is a mobile testing guidance skill with some unrelated desktop and PC-web reference notes, but no evidence of hidden, destructive, or data-stealing behavior.

Install only if you want mobile QA guidance, and be aware the package also includes desktop and PC-web testing checklists that may be irrelevant. Prefer using the mobile app, mobile web, and mini-program references for mobile work, or ask the publisher to remove or split the unrelated platform files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill metadata says this skill is for mobile testing, but the referenced content is entirely about desktop testing. This mismatch can cause an agent to activate the wrong guidance and perform irrelevant or unsafe test actions in the wrong environment, reducing reliability and potentially bypassing expected scope controls. In a security-sensitive workflow, scope confusion is dangerous because users and orchestration systems may trust the declared skill purpose rather than the actual content.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata says this is a mobile testing skill, but the referenced file defines a full PC Web testing scope instead. This scope mismatch can cause the agent to activate or apply incorrect testing guidance, leading to incomplete mobile security/quality coverage and potentially unsafe reliance on irrelevant web-only procedures.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal