ClawHub

嘉为蓝鲸 ITSM 工单数据分析技能,支持处理人工作量统计、响应时间分析、问题分类统计、日报/周报生成。

Security checks across malware telemetry and agentic risk

Overview

This skill is a local ITSM ticket analysis helper, but users should treat ticket exports and generated reports as sensitive.

Safe to consider for local ticket analysis. Before installing, keep ticket exports and reports confidential, redact sensitive fields before sharing, use least-privilege API keys only if needed, and configure WEBHOOK_URL or scheduled pushes only for approved internal channels.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README encourages analyzing ITSM ticket files and generating reports, but it does not warn that ticket data and derived reports may contain sensitive operational details, personal data, internal identifiers, or incident information. In an agent skill context, this omission can lead users to process or share sensitive data insecurely, increasing the risk of data leakage through generated markdown reports, copied outputs, or stored analysis artifacts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly supports Enterprise WeChat webhook delivery for ticket reports but does not warn that generated reports may contain sensitive ticket metadata, incident details, assignee names, or operational context sent to an external endpoint. In a ticket-analysis skill, this omission increases the chance of unreviewed data exfiltration or oversharing through chat integrations, especially if users enable scheduled pushes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal