ClawHub

Report Formatter

Security checks across malware telemetry and agentic risk

Overview

This is a Chinese-language formatting skill that rewrites user-provided content into reports, emails, notes, proposals, articles, or outlines, with no executable code, persistence, credential access, or hidden data flow.

Install this if you want Chinese-language document formatting help. Review the output carefully for meaning changes, especially when asking vaguely to organize or beautify text, and specify the desired format when precision matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad enough to match common conversational requests such as '整理一下' or '美化', which can cause the skill to activate outside the user's intended scope. In an agent setting, this increases the risk of unintended transformation of content, including structured rewriting that may omit nuance, alter meaning, or interfere with a more appropriate tool or workflow.

Vague Triggers

Low
Confidence
87% confidence
Finding
The automatic trigger for '整理一下' delegates format selection to the skill without clear scope boundaries or selection logic. This can lead to incorrect template choice or unsolicited restructuring of user content, which is risky when the original wording, ordering, or fidelity matters.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The skill is written entirely in Chinese and does not offer language detection, fallback behavior, or user language choice. In multi-language environments this can cause misinterpretation of instructions, accidental invocation mismatches, or output in an unintended language, which can degrade reliability and lead to incorrect business communications.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The package description is extremely broad, promising to transform arbitrary raw content into professional reports, documents, and emails across multiple output scenarios without any stated boundaries, triggers, or user confirmation requirements. In an agent-skill ecosystem, vague scope can cause the skill to be invoked in unintended contexts and may enable over-collection or transformation of sensitive user content beyond what the user expected.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The description is written entirely in Chinese and presents the skill behavior in that locale without indicating multilingual support or that the language is user-selectable. In a mixed-language agent environment, this can cause the skill to activate or respond in an unexpected language, leading to user confusion, misinterpretation of transformed content, or accidental use in contexts where the user did not opt into that locale.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal