ClawHub

Income Explorer

Security checks across malware telemetry and agentic risk

Overview

This is a simple instruction-only assistant for researching AI income ideas, with no hidden code or install-time behavior found.

Install only if you want an assistant to research AI monetization ideas and generate local reports. Review any report before sharing it, and keep command execution, web-search API use, and file writing limited to locations and actions you explicitly choose.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad enough to match ordinary user requests about AI income ideas, which can cause the skill to activate in situations where the user did not explicitly ask for this specific workflow. Over-broad routing increases the chance of unintended tool use, unnecessary browsing, or report generation beyond user expectations.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The quick-start instruction tells the agent to proactively use the skill whenever the user says broad phrases like '探索变现路径' or '如何用 AI 赚钱,' encouraging automatic invocation without a clear consent boundary. In a skill with browser, exec, and read/write capabilities, ambiguous proactive activation can lead to unnecessary or unexpected actions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill advertises exec and read/write capabilities but does not describe safety boundaries, scope limits, or user-consent requirements for those actions. That omission makes it easier for the agent to perform potentially impactful local changes or script execution without the user understanding the risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal