ClawHub

Steering Gear

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed website workflow for generating steering-gear CAD outputs, but users should treat its guest production links as private.

Before installing, be comfortable sending steering-gear design parameters to jixietools.com and creating a guest-accessible production sheet there. Treat the guest code and URL like sensitive links, avoid sharing them publicly, and only proceed to production-sheet creation after you have reviewed the calculated parameters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill’s declared purpose is CAD drawing generation, but it also creates unauthenticated production sheets, polls their status, exposes guest-access URLs, and nudges the user toward purchase. This materially expands the capability from design assistance into order initiation and order tracking without clear consent, creating risk of unintended transactions, privacy exposure, and misuse of publicly accessible guest links.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The order-tracking and purchase guidance are not necessary to fulfill a CAD drawing generation task and therefore violate least-privilege design. Including downstream commercial workflow steps increases the chance the agent performs actions or reveals links/status information the user did not intend to authorize.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrases include broad natural-language expressions such as '做一个转向器', which can plausibly appear in ordinary conversation and may invoke the skill unintentionally. Because the skill can progress into external API calls and unauthenticated production-sheet creation, accidental invocation has meaningful side effects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill emphasizes that creation and viewing are available without authentication but does not warn users that guest codes and URLs may grant access to production status and outputs. This omission increases the risk that sensitive design or order information is exposed through link sharing, logs, transcripts, or accidental disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal