ClawHub

智能报告生成器

Security checks across malware telemetry and agentic risk

Overview

This reporting skill is coherent, but it encourages automatically sending potentially sensitive reports to Feishu without clear per-use confirmation or destination controls.

Install only if you are comfortable with a reporting assistant that may process business data and create persistent reports. Disable automatic sending by default, use least-privilege Feishu and database access, and require an explicit review of the data source, report contents, destination, recipients, and sharing scope before any report is written or sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill's usage instructions are very broad and do not define when report generation should or should not occur, what data sources are allowed, or what approval is required before output. In a skill that can analyze arbitrary data and write to Feishu documents or local files, vague triggering increases the chance of over-collection, accidental reporting on sensitive data, or execution in contexts the user did not intend.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The description advertises automatic analysis and output to Feishu documents or local files without warning users that the skill may persist generated content outside the immediate chat context. This can lead users to provide sensitive business data without understanding it may be written to disk or shared to a collaboration platform.

Missing User Warnings

High
Confidence
97% confidence
Finding
The configuration sets 'Auto Send: true' for a reporting skill that can publish to Feishu, creating a real risk of outbound sharing without an explicit per-use user confirmation. Because reports may contain aggregated operational or business-sensitive data, automatic sending materially raises the chance of accidental data disclosure to external recipients or broader audiences.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal