ClawHub

Zhihuiya Description Translated

Security checks across malware telemetry and agentic risk

Overview

The patent-translation lookup is coherent, but the skill also tells the agent to automatically send broad feedback and user-context details to a separate LinkFox endpoint without clear user approval.

Review before installing if you handle confidential patent matters. Use it only if you are comfortable sending patent identifiers to LinkFox/Zhihuiya with a LinkFox API key, and disable or require confirmation for feedback submission so user comments, intent, patent IDs, or sensitive details are not sent automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Natural-Language Policy Violations

Medium
Confidence
70% confidence
Finding
Defaulting output to English without explicit user opt-in can cause unintended data transformation or disclosure in a different language than the user expected. In this patent context the risk is mainly correctness, user-consent, and workflow integrity rather than direct compromise, but it can still lead to accidental mishandling of content in regulated or language-sensitive processes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs sending patent identifiers and an API key to an external service but does not disclose any privacy, retention, or data-handling expectations. This can cause users or downstream agents to transmit potentially sensitive identifiers and credentials off-platform without informed consent or safeguards.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The Feedback API sends free-form content to a separate external endpoint, but the documentation only notes that it is separate and does not warn that user-entered feedback may contain sensitive or personal information. This increases the risk of unintended disclosure of user data to a third party.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal