ClawHub

团建横幅标语生成

Security checks across malware telemetry and agentic risk

Overview

This paid banner skill is not clearly malicious, but its payment records and identifiers do not match the advertised service, so users should review it before installing or paying.

Install only after reviewing the payment flow. Confirm the payee, amount, service slug, and order description match the team-banner service before paying; remove the thought-process disclosure instruction; and understand that order data is saved locally without documented cleanup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The instruction to include the model's 'thought process' in user interactions is unrelated to banner generation and requests disclosure of internal reasoning. Exposing internal reasoning can leak hidden policies, intermediate judgments, and security-relevant details that should remain internal.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation is materially inconsistent with the advertised skill: it hard-codes the slug "ai-chunlian", labels the order as "春联生成服务费用", and stores metadata for a different service than the declared team-banner skill. In a paid skill, this can misroute billing, disguise what the user is purchasing, and undermine auditability and consent, which is especially risky because the actual payee is configurable.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The comment claims the slug is only used to compute an indicator, but the same slug also determines persisted order metadata including skill-id and slug. This hidden coupling increases the chance of deceptive or incorrect attribution, making reviews and downstream processing rely on misleading assumptions about what the code is doing.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation and workflow conditions are broad and do not clearly limit when the skill should engage or what inputs are acceptable, especially around direct execution when an order number is provided. In a payment-enabled skill, vague triggering increases the chance of unintended payment processing, misuse of prior order artifacts, or unsafe execution paths.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
Forcing Chinese output is not itself a major security flaw, but coupling it with a requirement to disclose internal reasoning creates a policy-bypassing interaction pattern. This is especially risky because the skill is payment-capable and may pressure the model to reveal internal logic while handling sensitive transactional steps.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The repeated natural-language instruction reinforces disclosure of internal reasoning and removes user language choice, increasing the chance the model follows unsafe output constraints. Repetition makes the leakage instruction more salient and therefore more dangerous in practice.

Ssd 3

High
Confidence
99% confidence
Finding
This is an explicit instruction to reveal chain-of-thought in every interaction. Such leakage can expose hidden decision criteria, safety boundaries, and internal processing details that attackers can use to manipulate or bypass safeguards.

Ssd 3

High
Confidence
99% confidence
Finding
The repeated requirement to disclose internal reasoning creates a persistent leakage directive embedded in the workflow description. In context, this is more dangerous because it appears in a skill that handles payments and credentials, where exposing internal logic can aid fraud or prompt-injection attempts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal