ClawHub

pitch比稿技能

Security checks across malware telemetry and agentic risk

Overview

This is a coherent pitch-preparation skill, but it needs review because it encourages under-scoped stakeholder and insider-information use and may trigger on vague pitch-related phrases.

Install only if users understand that this skill is designed for competitive pitch strategy and stakeholder persuasion. Do not provide confidential client information, improperly obtained insider information, private personal details, or anything covered by an NDA; prefer public sources and role-level assumptions. Be prepared to disable or override the skill when the request is only a generic proposal, internal presentation, investor pitch, or ordinary marketing plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes vague, everyday phrases such as '帮我做个提案' and '客户要方案', which can match many non-competitive business tasks outside the intended pitch/bid context. In an agentic system, this can cause unintended skill activation, leading to irrelevant orchestration, prompt/context hijacking opportunities, or unnecessary exposure of user data to the wrong workflow.

Vague Triggers

High
Confidence
89% confidence
Finding
The trigger conditions are intentionally expansive and include vague everyday phrases like '帮我做个提案' or '客户要方案', which can activate the skill in conversations that are not actually competitive pitch workflows. This creates unsafe overreach: the system may apply specialized competitive-bid logic, routing, and persuasion-oriented behavior to unrelated business tasks without clear user intent or confirmation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly asks users for evaluator names, roles, decision styles, preferences, concerns, and whether there is an internal source who can provide information. In a competitive bidding context, this encourages collection and use of sensitive personal or insider information without any guardrails on consent, legality, confidentiality, or acceptable sourcing, creating privacy, ethics, and potential compliance risks.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger eval includes single-word positive examples like "pitch" and "比稿", which can train or validate a trigger that fires on highly ambiguous terms without enough context. In this skill, an over-broad trigger can cause unintended activation for unrelated uses such as investor pitches, internal presentations, or casual mentions, leading to misrouting and potentially inappropriate competitive-bid guidance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal