ClawHub

LOFTER

Security checks across malware telemetry and agentic risk

Overview

The skill appears to present itself as LOFTER guidance while its body reportedly covers unrelated video streaming and membership playback topics, so it needs review before install.

Review before installing. The main issue is not malware-like behavior; it is that the skill may be mislabeled or incorrectly authored. Install only if the publisher clarifies whether this is actually for LOFTER or for a video/member playback workflow, and make sure its trigger phrases and instructions match the intended platform.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill metadata presents LOFTER as an interest-community and creative-guidance skill, but the body describes unrelated video streaming, membership playback, and download-management features. This mismatch can cause incorrect routing and overbroad activation, leading users to invoke a skill under false pretenses and potentially receive unsafe or irrelevant guidance.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The declared description says the skill provides LOFTER community and creative-content guidance, but the documented functionality shifts into video playback control, paid episodes, and recommendation tuning. This is a genuine scope-integrity problem because users and orchestration systems may trust the declared purpose while the skill actually targets a different domain.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The example trigger phrases are highly generic, such as asking how to use LOFTER for a specific scenario or what features are available, which could match many unrelated user requests. Overbroad triggers increase the chance that this mismatched skill is selected inappropriately, amplifying the metadata/content inconsistency and causing confused or unsafe delegation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal