ClawHub

05 Monthly Report

Security checks across malware telemetry and agentic risk

Overview

This is a text-only monthly compliance report template that asks for relevant business data but does not install code, run commands, persist, or transmit data on its own.

Install only if you intend to use it for internal compliance reporting. Before use, confirm the requester is authorized, provide aggregated or redacted data where possible, and do not paste customer identifiers, privileged legal material, credentials, or confidential records beyond what the report truly needs. Also treat the Alibaba-themed author claim as unverified publisher context unless you independently know its source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger condition is broadly defined as '每月末(或管理层需要时)' with no clearer invocation boundaries, authorization expectations, or restrictions on who may supply data. In practice this can cause the skill to be used in unintended contexts, increasing the chance that sensitive compliance reporting is generated from unverified inputs or exposed to unauthorized users.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill asks for detailed complaint, risk-event, supplier, station, litigation, and media-risk data, which may include sensitive operational, personal, or legally privileged information, but it provides no privacy notice, data minimization guidance, or handling restrictions. This creates a real risk of oversharing regulated or confidential internal data into the agent context, especially because the skill explicitly solicits granular records and incident details.

VirusTotal

41/41 vendors flagged this skill as clean.

View on VirusTotal