ClawHub

liufeng-greeting-skill

Security checks across malware telemetry and agentic risk

Overview

This is a simple greeting responder with broad but disclosed triggers and no evidence of stealing data, persistence, or destructive behavior.

Install only if you want a skill that may respond whenever common greeting words appear in a message. Consider narrowing or disabling the trigger patterns if it interferes with normal conversations or other skills, and verify the package files install correctly because the submitted artifact appears to contain upload boundary text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The documented trigger set includes very common conversational phrases such as “你好”, “hi”, “hello”, and especially “在吗”, and the README explicitly states the match can occur even when these appear inside larger messages. In a chat assistant context, this can cause unintended activation, interfering with normal conversations and making the skill easier to invoke accidentally across multiple channels.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill is designed to trigger on very common greetings such as '你好', 'hello', 'hi', and '在吗', which are likely to appear in ordinary conversation unrelated to invoking this skill. In a chat-wide deployment, this can cause unintended activation, noisy responses, and interference with other skills or normal user interactions, especially because the description implies broad applicability rather than narrow scoping.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The usage instructions state that sending a greeting in any chat channel will trigger the skill, which removes meaningful scope boundaries and increases the chance of accidental execution. This is risky in multi-user or multi-channel environments because generic greetings are ubiquitous and can produce unsolicited responses or automation conflicts.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill registers extremely common greetings such as '你好', 'hello', 'hi', and '在吗', which are likely to appear in ordinary conversation and can cause the skill to trigger unintentionally. This creates an overbroad interception risk where the skill may activate in contexts the user did not intend, potentially hijacking normal interaction flow or overshadowing other skills.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal