ClawHub

國際政治評論員

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent, but it needs review because it can save sensitive political interests and under-discloses external news/search activity.

Review this skill before installing if you do not want political topics or preferences retained locally. Use it only if you are comfortable with news/search requests reaching external public sources, and clear or disable the memory/tracking features if you do not want a local political-interest profile retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad, natural-language requests such as asking to comment on today's political news or analyze a news item, which can cause the skill to activate unintentionally during ordinary conversation. In a political-commentary skill, accidental invocation is more concerning because it may steer neutral discussions into opinion generation, news gathering, or memory use without clear user intent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example trigger phrases are broad natural-language requests such as asking to comment on today's political news or analyze a news item, which can plausibly overlap with ordinary conversation and cause the skill to activate when the user did not explicitly intend to invoke it. In a political-analysis skill, unintended activation is more concerning because it may steer responses into sensitive political framing, fetch external content, or apply stored user preferences without clear user intent.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger description is broad enough to activate on many ordinary political-information requests, which can cause the skill to run unexpectedly and pull in search, persistence, or other side effects without clear user intent. In a political-analysis context, unexpected activation is more sensitive because outputs may shape opinions and may trigger preference collection workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs storage of user political preferences in `memory/political-preferences.json` without prior notice, consent, retention limits, or explanation of how the data will be used. Political interests are sensitive personal data in many contexts, so silent persistence can expose users to profiling, surveillance, or unintended disclosure if the local environment is shared or compromised.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tracking and push-notification features imply ongoing monitoring of user-selected political topics and scheduled updates, but the skill does not warn users about continuous observation, data retention, or notification behavior. Because the monitored subject matter is political, the privacy impact is elevated and could reveal ideology, affiliations, or sensitive interests over time.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal