ClawHub

Qimen Dunjia

Security checks across malware telemetry and agentic risk

Overview

This is a Chinese divination-style advice skill with no bundled executable code or credential access, though its answers can sound overly definite for real-life decisions.

Install only if you intentionally want Chinese-language divination-style responses. Invoke it deliberately, and do not rely on its outputs for medical, legal, financial, safety, or major career decisions; also note that the documented CLI helper is not included in this package.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example triggers are very broad, everyday Chinese phrases such as asking about travel, jobs, or whether something will work out. In an agent ecosystem, overly generic triggers can cause the skill to activate unintentionally during ordinary conversation, leading to incorrect routing, unexpected behavior, or untrusted decision-like outputs being injected where the user did not explicitly request this divination skill. The skill context makes this more concerning because it is designed to return direct conclusions and recommendations, increasing the chance of misleading or disruptive responses when mis-invoked.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The trigger keywords include broad, natural-language phrases such as “问跳槽” and “问事业”, which are common in ordinary conversation and can cause the skill to activate when the user did not explicitly intend to invoke divination behavior. In an agent setting, unintended invocation can override user expectations, produce irrelevant or misleading advice, and increase the chance of the model following this skill instead of safer or more appropriate capabilities.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The usage examples demonstrate activation through ordinary conversational requests like “看看今天时盘,我想问跳槽的事” and “这个合作时机对不对,” which reinforces ambiguous routing and makes accidental invocation more likely. Because this skill gives authoritative, deterministic conclusions, accidental activation is more risky than for a harmless formatting skill: users may receive unsolicited pseudo-advisory output about jobs, business, health, or other decisions.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal