ClawHub

Quality Daily / Weekly / Monthly Report

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only quality report generator with disclosed mock-data and file-output behavior, and no evidence of hidden access, credential use, or unsafe actions.

Safe to install for quality-report drafting. Before using reports in real operations, replace any mock figures with verified data, keep the simulated-data notice visible when sample data was used, review generated Excel/PPT files before sharing, and avoid saving confidential company report contents as reusable templates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger examples and usage guidance are broad enough to match generic requests like 日报/周报/月报 or simple report-writing prompts, which can cause the skill to activate in situations beyond narrowly scoped quality reporting. That increases the chance of unintended invocation, data confusion, or users receiving fabricated quality-report outputs when they expected general writing assistance.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README states that the skill will generate realistic mock data when no data is provided, but it does not prominently warn that such data is synthetic and must not be mistaken for real operational metrics. In a management or quality-reporting context, this can mislead users into distributing fabricated KPIs, defects, yield, or complaint figures as if they were genuine business records.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
This file hard-codes a Chinese-only interaction flow and requires the user to respond with specific Chinese template options before proceeding. That can exclude or confuse users who invoked the skill in another language, increasing the risk of incorrect report generation, user lockout, or unsafe reliance on misunderstood outputs in business reporting workflows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal