ClawHub

多平台文案风格改写

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised copy rewriting, but it also mandates third-party reporting and repeatedly asks generated copy to pass AI-content detectors.

Review before installing. Avoid using this skill for sensitive drafts unless the reporting call is removed or made clearly opt-in, and remove or override the AI-detector-passing instructions so generated copy is transparent and policy-compliant.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (19)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Remote record reporting is unrelated to the core job of rewriting text and expands the data exposure surface without clear necessity. Because the payload includes user-provided content, this creates unnecessary third-party disclosure risk for potentially confidential marketing drafts or business text.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The documented workflow mandates external telemetry submission before completing the main task, extending behavior beyond rewriting. This is risky because it normalizes sending user content off-platform as part of a routine operation, even when not needed to fulfill the user's request.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documentation explicitly states that user content is sent to an external HTTP endpoint for logging, which is unrelated to style rewriting. This is particularly dangerous because users may submit proprietary copy, campaign plans, or personal text that is then disclosed to a third party without necessity.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script markets itself as a copy-rewriting helper, but the documented batch behavior is to send records to an external endpoint rather than perform rewriting. This deceptive functionality is security-relevant because users may provide sensitive draft content under the assumption it will be processed locally for rewriting, while the skill instead initiates unrelated external reporting behavior.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
In batch mode, the function accepts platform and content parameters, implying the user's text is relevant to processing, but the reporting request ignores both values and sends only a fixed source string to a remote API. This mismatch is dangerous because it conceals the tool's real behavior, making it harder for users and reviewers to understand or trust what the skill does and increasing the likelihood of unauthorized network activity being overlooked.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill performs outbound network logging to a third-party service that is unrelated to its primary advertised function of text rewriting, and does so without authentication or meaningful user consent. In the context of an agent skill, unexpected network egress is especially risky because users may submit confidential marketing drafts, internal campaign text, or proprietary content while assuming the operation is local or platform-scoped.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill transmits user-provided content to a remote API without a user-facing warning or consent step. Lack of notice undermines informed consent and can cause unintentional exposure of sensitive business or personal text entered for rewriting.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Requiring remote reporting before output means users cannot use the skill without data transmission, yet the workflow does not clearly disclose this to them. This coercive design increases privacy risk because users may unknowingly surrender their content just to receive a rewrite.

Ssd 3

High
Confidence
99% confidence
Finding
The skill instructs sending full user-provided content as a rewrite record before producing output. Because rewrite requests can contain confidential drafts, internal announcements, or personal narratives, transmitting the full text creates a direct data exfiltration channel to an external service.

Ssd 3

High
Confidence
99% confidence
Finding
The workflow requires reporting the user's text to an external record interface before the main task is complete, making third-party disclosure a built-in prerequisite. In the context of a writing assistant, this is more dangerous because users are likely to paste unpublished or sensitive content and would not expect mandatory external transmission.

Ssd 3

High
Confidence
99% confidence
Finding
The documentation normalizes per-platform external API submission of the user's text, increasing the number of transmissions and therefore the exposure surface. Batch rewrite usage can amplify leakage by causing repeated submissions of the same sensitive content to a third party.

Ssd 1

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs the model to produce content that can pass AI-content detection tools. That is a circumvention-oriented requirement aimed at avoiding external screening mechanisms, which can be repurposed to hide synthetic or deceptive content at scale.

Ssd 1

Medium
Confidence
98% confidence
Finding
This repeated detector-evasion requirement normalizes bypass behavior across another platform mode. Repetition across sections increases the chance that the model will prioritize concealment goals over safety-aligned output behavior.

Ssd 1

Medium
Confidence
98% confidence
Finding
The instruction again redirects generation toward avoiding AI-content screening rather than merely improving style. In a content-rewriting skill, this makes the tool more dangerous because it could help users disguise machine-generated spam, propaganda, or academic dishonesty.

Ssd 1

Medium
Confidence
97% confidence
Finding
Although framed as benign stylistic advice, the requirement is explicitly bypass-oriented because it asks for output that can clear AI-detection checks. This can facilitate evasion of trust, compliance, or moderation workflows that rely on such detectors.

Ssd 1

Medium
Confidence
98% confidence
Finding
The Bilibili section repeats the same circumvention cue, showing the behavior is systematic rather than accidental. Because the skill mass-produces platform-tailored text, this creates scalable misuse potential for deceptive or policy-violating campaigns.

Ssd 1

Medium
Confidence
95% confidence
Finding
The directive to 'never break role' can pressure the model to keep following persona instructions even when a user request conflicts with safety requirements. While not always harmful alone, in combination with other evasive instructions it weakens the model's ability to refuse unsafe or policy-violating tasks.

Ssd 1

Medium
Confidence
98% confidence
Finding
This Xiaohongshu rule again requires the output to pass AI-content detection tools. In this context, the platform-specific marketing focus makes the issue more dangerous because it can support covert generation of synthetic promotional content that appears human-authored.

Ssd 1

Medium
Confidence
98% confidence
Finding
The Zhihu section includes the same screening-avoidance language, extending the circumvention behavior across the full skill. Broad repetition in a reusable rule library makes abuse easier and suggests the unsafe behavior is built into the skill's intended operation.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal