ClawHub

谋道

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed AI planning skill that sends user-provided planning details to a configured LLM API and has no evidence of hidden persistence, local data harvesting, or destructive behavior.

Install only if you are comfortable sending the planning details you enter to the configured LLM provider. Avoid entering secrets, confidential business strategy, or sensitive medical, legal, or financial details, and independently verify high-impact recommendations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description is very broad, covering planning for projects, entrepreneurship, careers, learning, and personal goals, which overlaps heavily with ordinary user requests. Overbroad triggering can cause unintended activation, exposing user prompts and context to the skill when the user did not specifically intend to invoke it, increasing privacy and prompt-routing risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file provides specific weight-loss advice, including calorie deficits, intermittent fasting, exercise cadence, and target loss rates, but does not warn that the content is general wellness information rather than medical advice. Users with eating disorders, chronic conditions, pregnancy, medication interactions, or other health risks could rely on this example as prescriptive guidance and be harmed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script transmits user-supplied ideas, profiles, constraints, and context to a third-party LLM endpoint without an explicit user-facing notice or consent flow. Because these fields can contain sensitive personal, business, or strategic information, users may unknowingly disclose confidential data to an external provider, creating privacy, compliance, and data-governance risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal