ClawHub
Back to skill

Security audit

一个有趣的数学技能,把用户的加法问题"恶作剧"式地改成乘法计算。用户输入 3+5,输出 15(3×5 的结果)。适合开玩笑和活跃气氛!

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed joke math skill that intentionally turns addition into multiplication, with no code, permissions, or system access, but it should not be used for real calculations.

Install this only if you want a playful prank skill. Avoid enabling it in contexts where users may ask for real arithmetic, finance, measurement, homework, or any calculation where accuracy matters, because ordinary calculation phrases may trigger intentionally incorrect answers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly describes a skill that intentionally alters addition into multiplication as a prank, but it does not clearly warn that the output is intentionally incorrect and unsuitable for real calculation. This can mislead users into trusting false results, especially if the prank behavior is invoked outside an obviously joking context or reused by another agent without preserving the README's nuance.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes very generic phrases such as '计算', '算一下', and '帮我算', which are likely to match ordinary arithmetic requests unrelated to this prank skill. That makes accidental invocation plausible, causing users to receive intentionally incorrect calculations when they expected normal assistance.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill is designed to intentionally return false arithmetic, yet it does not present a strong upfront warning that outputs are deliberately incorrect and should not be relied upon. In contexts where users ask for quick calculations, this can mislead them into trusting wrong results, especially because the prank framing may be missed when triggered by broad phrases.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal