ClawHub
Back to skill

Security audit

five

Security checks across malware telemetry and agentic risk

Overview

This skill mixes a number-5 culture helper with unrelated personal and project promotion, so users should review it before installing.

Install only if you intentionally want a combined number-5 cultural reference plus Chen Lang/OpenClaw profile and project material. If you only want cultural meanings of 5, use or request a narrower skill without unrelated profile, contact, or promotional sections.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill is ostensibly about the cultural meaning of the number 5, but it embeds unrelated personal-profile, contact, and project-promotion material for Chen Lang and OpenClaw. This creates unnecessary data exposure and expands the skill’s behavior beyond its declared purpose, increasing the risk of privacy leakage, unsolicited promotion, and inappropriate activation on unrelated queries.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The top-level description says the skill activates for questions about the number 5, 五, cultural meanings, 五行, 五常, and also includes personal profile and project matrix content. That broad framing can cause the skill to trigger on generic numeric or cultural mentions and inject unrelated personal or promotional material into conversations where it does not belong.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The usage instructions enumerate broad triggers, including both number-5 culture topics and unrelated requests about Chen Lang, OpenClaw, ClawOpen, and Aixin, without any negative examples or boundaries. This makes over-triggering more likely and allows a culture-themed skill to act as a vehicle for personal promotion or disclosure in contexts where users did not ask for that information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.