ClawHub

企业风险排查

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward enterprise-risk lookup skill that uses a Qixin API token to query company risk data, with some privacy and accuracy caveats users should understand.

Install only if you trust the Qixin/启信宝 API service and are comfortable sending queried company names or enterprise IDs to it. For sensitive due-diligence work, prefer exact enterprise IDs, verify the returned ename before relying on results, and store the API token with limited exposure rather than broadly in a shell startup file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The example trigger phrases are broad conversational requests like asking to 'check a company's risks,' which can overlap with normal user dialogue and cause unintended invocation. If auto-triggered, the skill may send company identifiers to an external service without the user clearly intending to invoke this specific integration, creating privacy and consent issues.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation describes querying enterprise risk data through an external API but does not clearly warn users that supplied company names or IDs will be transmitted to a third-party service. This weakens informed consent and can expose sensitive business investigation targets, supplier lists, or due-diligence activity patterns to an external provider.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation states that when `ename` is provided and cannot be precisely matched, the system will automatically use the first search result. In a risk-assessment skill used for supplier due diligence, lending checks, and partner background investigations, this can silently return data for the wrong company and cause materially incorrect compliance, credit, or business decisions.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal