ClawHub

天枢短剧爆款因子分析报告

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed paid short-drama analysis skill that uses a stated web API and Alipay flow, with no hidden code or local access found.

Install this only if you want a Chinese short-drama analysis service. Expect calls to sinodata.io for catalog and preview data, and confirm the 9.90 CNY Alipay payment link before paying for a full report; avoid sending confidential scripts or business plans unless you are comfortable with the provider’s handling of that content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger description is broad enough to activate on generic requests about drama analysis, script evaluation, or why a show became popular, which can cause the skill to intercept user intent too aggressively. In context, this matters because the skill includes a payment flow and external API usage, so over-triggering could route users into commercial actions they did not explicitly request.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes very broad and generic terms such as '短剧', '爆款', '爽剧', and '剧本评估', which can match many unrelated user requests and cause the skill to activate outside its narrow intended use. Because this skill routes requests to a remote paid HTTP endpoint, overbroad invocation increases the chance of unintended data disclosure, accidental charges, and user confusion about why the skill was selected.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The manifest advertises remote HTTP processing at 'https://sinodata.io/v1/analyzer' and a pay-per-call model, but it does not clearly warn users that their prompts or script details will be transmitted to a third-party service. In a content-analysis skill, users may submit unpublished scripts, business plans, or commercially sensitive creative material, so the lack of explicit transmission and payment disclosure creates privacy, confidentiality, and consent risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal