ClawHub

Drive Axle

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed drive-axle CAD workflow that uses a third-party service to calculate drawings and create a guest-access production sheet, with no local code or credential access.

Install only if you are comfortable sending drive-axle design parameters to jixietools.com and receiving results through a shareable guest link. Before creating a production sheet, confirm that the user understands a remote record and unauthenticated progress/result URL will be created.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill’s declared purpose is CAD drawing generation, but the documented workflow extends into creating and monitoring production orders on a third-party service. This materially changes the capability surface from design assistance to transaction/order orchestration, which can surprise users and trigger external side effects they did not explicitly request.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Including order-creation and tracking functionality in a CAD-generation skill violates least surprise and expands the skill beyond its stated business purpose. If invoked casually, it may create remote records and guest-access artifacts without the user understanding that an ordering workflow has begun.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are broad enough that ordinary mentions of '驱动桥' or 'drive-axle' could activate the skill unintentionally. In this skill, accidental activation is more concerning because the workflow can lead to external API calls and eventual production-sheet creation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to create a production sheet and expose a guest access link without authentication, but does not require a clear warning or informed consent. This can leak access to remotely hosted order/progress data through bearer-style guest URLs and create records on behalf of users unexpectedly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal