ClawHub

宝宝取名

Security checks across malware telemetry and agentic risk

Overview

This paid baby-name skill discloses a payment flow, but it has material review concerns because it asks the agent to reveal internal reasoning, stores payment/order data locally, and charges for personalization the code does not actually provide.

Review before installing. Only use this skill if you accept the configured payee, payment flow, and local order storage; require explicit confirmation before creating an order or installing clawtip. Do not allow it to reveal internal reasoning, and do not expect true birth-date or surname-based personalization from the current code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs the model to reveal its thought process during user interaction. Requests to expose internal reasoning are unsafe because they can leak hidden decision logic, security cues, and system-behavior details that should remain private, and such instructions are especially suspicious when embedded in untrusted skill content.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
This repeated instruction reinforces the demand to expose the model's internal reasoning, increasing the likelihood that an agent follows it as part of normal operation. Repetition within the body of the skill is a red flag because it attempts to override higher-level safety boundaries through persistence and emphasis.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The implemented behavior materially differs from the advertised skill purpose: instead of primarily generating baby names, this file creates payment orders and persists them locally. This mismatch is dangerous because users, operators, or reviewers may grant trust and permissions based on the stated benign function while the code performs billing-related actions behind the scenes.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This file loads a payment recipient and encryption key from configuration and generates an encrypted payment payload, which is a sensitive capability beyond the core baby-naming function. In the context of an innocuous-seeming consumer skill, this increases the risk of unauthorized charging flows, covert monetization, or repointing payments to an attacker-controlled recipient through configuration changes.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill advertises personalized baby naming based on birth data and parents' surnames, but the implementation only infers gender from free-form text and returns names from a fixed list. In a paid service context, this is a service integrity and consumer deception issue: users may pay for customization that is never performed, and downstream components may trust the output as tailored when it is not.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The skill mandates Chinese-only interaction and explicitly requires revealing the model's thought process. The language requirement itself is benign, but coupling it with mandatory reasoning disclosure creates a prompt-injection style policy conflict that can be used to exfiltrate protected internal content.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
This duplicate directive again combines normal interaction requirements with an explicit request for thought-process disclosure. In context, the repeated prompt-level pressure makes the skill more dangerous because it normalizes unsafe output behavior throughout the workflow.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code persists order details, including user-provided `question`, payment metadata, and recipient information, without any visible disclosure, consent, or minimization in this file. In a paid consumer-facing skill, silent storage of transactional and user-supplied data can create privacy, compliance, and trust risks, especially if the stored content contains personal information.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code writes order data to disk under the user's home directory without any evident minimization, permission hardening, encryption, or notice to the user. In the context of a paid baby-naming service, order records may contain personal or payment-adjacent data, so local persistence can expose sensitive information to other local users, backups, or malware on the host.

Ssd 3

High
Confidence
98% confidence
Finding
Instructing the model to reveal its internal reasoning creates a direct data-leakage channel. Internal reasoning can contain sensitive safety heuristics, hidden instructions, or intermediate assessments that should not be exposed to users, making this a clear security-boundary violation.

Ssd 3

High
Confidence
98% confidence
Finding
The repeated body-level requirement to include thought process compounds the leakage risk by embedding the unsafe behavior in operational guidance. Because the skill also handles payment flow and credential-related steps, leaking internal reasoning in this context could additionally expose validation logic or security assumptions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal