ClawHub

中国历史年份查询

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate Chinese historical year conversion and lookup tool, with only ordinary privacy and accidental-activation considerations.

Install if you want a Chinese historical year lookup helper. Avoid putting sensitive personal information in historical queries, since supplemental lookups may be sent to external search or wiki sites, and verify important historical results because the conversion data and formulas are simplified.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger list is extremely broad, with generic phrases like '哪一年', '皇帝', '在位', and '历史事件' that can match ordinary conversation unrelated to the skill's intended scope. Overbroad activation can cause unintended routing, prompt hijacking of unrelated user tasks, unnecessary external lookups, and leakage of user queries to networked resources.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The description advertises vague trigger patterns such as '某年发生了什么' and '某历史事件' without clear parsing boundaries, which increases the chance of accidental invocation on normal user text. In an agent setting, ambiguous routing is security-relevant because it can redirect unrelated prompts into this skill and trigger unintended processing or web access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs network-based lookups to external sites like Baidu and Wikipedia but does not warn that user inputs may be transmitted to third parties. This creates privacy and data-handling risk, especially if users include sensitive queries or if broad triggers cause unintentional activation and outbound requests.

VirusTotal

No VirusTotal findings

View on VirusTotal