ClawHub

Movie Coupon 电影票优惠券-淘票票、猫眼等电影平台优惠购票

Security checks across malware telemetry and agentic risk

Overview

This skill appears to fetch and present movie coupon links as advertised, with the main risk being that users may be sent to external coupon or QR-code destinations.

Install this only if you are comfortable with the skill contacting its coupon API and showing external redemption links or QR codes. Check the destination before opening or scanning coupon links, especially if they appear after a broad movie-related request rather than an explicit request for discounts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases are broad enough to activate on generic requests like wanting to watch a movie or save money, which can cause the assistant to inject third-party coupon links when the user did not explicitly ask for external promotions. In this skill, that matters because the output includes unauthenticated external redemption URLs and QR codes, increasing the chance of unsolicited link delivery and misrouting user intent.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documentation instructs consumers to present third-party coupon links and QR code image URLs exactly as returned, but it does not warn that opening them can send users to external destinations that may collect device, referrer, or behavioral data. In a coupon-distribution skill, users are specifically encouraged to click or scan, so the absence of a privacy and destination warning increases the chance of unintended third-party tracking or redirection without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal