ClawHub

Yichen Trash Bag

Security checks across malware telemetry and agentic risk

Overview

The skill’s customer-service content is coherent, but its installers add automatic daily updates and can overwrite existing local files without clear opt-in.

Review before installing. The conversational skill itself is narrowly about store support, but the provided installers are too powerful for that purpose: they execute remote scripts, may overwrite an existing skill folder, and set up daily automatic git updates. Prefer manual installation from a reviewed, pinned release, remove the scheduled update task or crontab entry, and narrow trigger terms to store-specific phrases.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The README includes one-line remote installer commands that fetch and immediately execute code from the network, which is unrelated to the stated customer-service behavior of the skill itself. This creates a supply-chain and arbitrary code execution risk for anyone following the documentation, especially if the repository, branch, or hosting path is modified or compromised.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The installer creates a persistent scheduled task that runs daily and performs `git pull` against a remote repository. For a customer-service skill, this exceeds the expected install scope and creates an ongoing execution path that could deliver future code changes without fresh user review, increasing supply-chain and persistence risk.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script registers a daily Windows scheduled task to execute PowerShell and `git pull` unattended. This gives the skill a persistence mechanism unrelated to its stated e-commerce support function, and any compromise of the upstream repository could be propagated automatically onto the host.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The installer establishes persistent automatic updates via the user's crontab, but the skill is described only as an e-commerce customer service capability. Adding persistence is unnecessary for the stated function and creates an ongoing code-execution path from a remote repository without clear user consent.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Modifying the user's scheduled tasks gives the installer persistence and recurring execution capability unrelated to a product-support skill. In this context, the ability is disproportionate to the advertised purpose and increases the blast radius if the repository is later compromised.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The installation instructions tell users to execute remote scripts directly via bash and PowerShell without any warning, review step, or integrity check. This normalizes unsafe behavior and allows immediate code execution from a mutable remote source, making compromise of the repository or upstream delivery path directly dangerous to users.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger keywords include very broad shopping terms such as '垃圾袋', '一次性用品', and generic product phrases that can easily match ordinary user conversations outside the intended store-specific context. Over-broad activation can cause unintended prompt injection of this skill into unrelated chats, leading to irrelevant behavior, response hijacking, or suppression of the user's actual intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The short-keyword trigger table uses ambiguous single-word activators like '推荐', '价格', '优惠', '快递', '退', and '质量', which are common across many unrelated conversations. This makes accidental invocation highly likely and increases the risk that the skill will override more appropriate system behavior or inject off-topic sales-oriented responses into normal user interactions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer forcefully deletes the existing skill directory and then sets up a persistent auto-update task, all without explicit warning or user confirmation. This can overwrite local changes or remove data unexpectedly, and the combination with silent persistence materially increases user risk and reduces informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script deletes an existing target directory with rm -rf when it is not a git checkout, without prompting the user or backing up contents. This can destroy local files or prior manual customizations if the directory exists for any reason.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installer silently edits the user's crontab to schedule daily remote code updates, and this behavior is not disclosed upfront in the one-line install instruction. Silent persistence changes are risky because users may not realize they have granted continuing execution to repository-controlled code.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal