ClawHub

Chinese Calendar Cn

Security checks across malware telemetry and agentic risk

Overview

The skill appears low-risk to execute, but it does not implement the Chinese calendar features it advertises.

Review before installing if you need an actual Chinese calendar tool. It does not appear to access private data or perform harmful actions, but users and agents may get irrelevant or misleading results because the packaged script does not match the advertised functionality.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill’s metadata promises Chinese lunar calendar capabilities such as solar terms, zodiac years, auspicious dates, festivals, stems/branches, and calendar conversion, but the script only emits generic placeholder-style text. This is dangerous because downstream users or agents may rely on the declared functionality for decisions while receiving unrelated content, creating a supply-chain style integrity problem and enabling deceptive packaging of skills.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The inline documentation labels the script as a Chinese calendar reference tool, but the actual command outputs are generic operational filler unrelated to calendar functionality. Misleading in-file documentation increases the risk that reviewers, users, or automated systems will trust the skill for a purpose it does not serve, undermining integrity and traceability.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The FAQ/help section reinforces the claim that this is Chinese calendar quick-reference material, yet the script provides only generic placeholder guidance. In a skill ecosystem, this mismatch can mislead users and orchestration agents into selecting the wrong tool, producing incorrect outputs and reducing trust in the repository.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal