ClawHub

07 Risk Dashboard

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only risk dashboard template that formats user-provided internal risk data, with no code, credential access, or external data access.

Before installing, treat this as an internal reporting template, not an official Alibaba system or an automated enforcement tool. Provide only data the intended audience is allowed to see, define business scope and time range for each report, and require human review before supplier penalties, escalations, or broad push notifications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger condition includes broad natural-language phrasing such as asking for the 'current highest risk,' which can overlap with ordinary conversation and unintentionally activate the skill. In a risk-management context, accidental activation can expose sensitive internal risk summaries or cause the agent to act on incomplete context when the user did not intend to invoke this skill.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The heatmap feature is triggered by a loose phrase ('give me a risk heatmap') without scope checks, authorization checks, or disambiguation. Because the skill handles internal-control and supplier risk data, an imprecise trigger increases the chance of unintended disclosure or invocation from casual discussion that mentions similar wording.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document describes automatic pushing of reports and real-time alerts to responsible personnel, but it does not define recipient validation, sensitivity labeling, consent, or safeguards against over-broad distribution. Since the reports contain P0/P1 incidents, supplier risk, complaints, and potentially financial loss estimates, misrouting or overly broad push delivery could leak highly sensitive internal operational data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal