ClawHub

全网聚合热点榜

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it needs review because it uses an API key, writes local reports automatically, and describes ongoing subscription and keyword-tracking behavior without clear controls.

Install only if you trust the publisher and are comfortable providing a Redfox API key. Use a revocable key, avoid storing it in shared files, keep generated reports in a known folder, and require explicit confirmation before export or any subscription. Treat keyword tracking and push features as under-documented until the publisher explains storage, delivery, retention, and cancellation behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The documented behavior materially contradicts the skill metadata: the metadata says the skill does not support querying specific hotspots, but the instruction file explicitly supports per-item detail lookup and keyword-specific subscription tracking. This mismatch can mislead reviewers, users, and downstream policy controls about the actual capability surface, which increases the risk of unauthorized monitoring or unexpected data handling.

Context-Inappropriate Capability

Low
Confidence
91% confidence
Finding
These instructions direct automatic file creation and script execution without user confirmation or any visible safety boundary. In an agent environment, auto-running local scripts and writing artifacts can become dangerous if upstream content is attacker-influenced, potentially causing unauthorized system-side effects or unsafe processing of generated data.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The document introduces heat-trend prediction logic, lifecycle estimates, and prescriptive follow-up guidance that exceed the skill’s declared scope of aggregating current TOP10 hotspots and 7-day historical recall. This creates a scope mismatch that can mislead downstream agents or users into treating unsupported forecasts as authoritative functionality, increasing the risk of deceptive outputs or unintended decision-making based on undocumented behavior.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README defines very broad natural-language trigger phrases such as "Hot list," "Today's hot topics," and "Latest hot topics" that can easily appear in ordinary conversation. In an agent environment, this increases the chance of unintended skill invocation, which could cause unsolicited external API calls, unexpected report generation, or subscription actions using the configured API key.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are very broad (e.g. equivalents of 'hot topics', 'today's hot topics', 'latest hot topics') and can overlap with normal conversation, increasing the chance that the skill activates unintentionally. In an agent environment, accidental invocation can cause unintended external API calls, unexpected data retrieval, or downstream actions like report generation when the user did not explicitly request this skill.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README advertises HTML export and subscription push features but does not warn users about where files are written, what data may be stored in generated reports, or what ongoing effects a subscription creates. In practice, this can lead to silent persistence of potentially sensitive usage data and recurring outbound notifications or scheduled tasks without informed user consent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The subscription push feature is described without clear activation boundaries, approval flow, or scope constraints. That ambiguity is risky because a user asking for a one-time report could be steered into persistent notifications or recurring data processing they did not knowingly authorize.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The subscription push feature is described without clear activation boundaries, approval flow, or scope constraints. That ambiguity is risky because a user asking for a one-time report could be steered into persistent notifications or recurring data processing they did not knowingly authorize.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs automatic saving of structured JSON and HTML reports to disk without any user-facing notice or consent step. Silent persistence is dangerous because retrieved data, analysis artifacts, and links may remain on the host and be accessible beyond the current session.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation tells users to place an API key in config files or environment variables but omits basic credential-handling guidance. This increases the risk of insecure storage, accidental disclosure in shared environments, and long-lived credential exposure if logs, configs, or repositories are later accessed.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Using the bare trigger phrase "订阅" to initiate subscription flow is overly broad and can be activated by ambiguous user utterances that merely mention subscribing conceptually. This can lead to unintended enrollment into persistent notifications or state changes without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The same overly generic "订阅" trigger is reused for yesterday-hotlist subscriptions, creating the same ambiguity around whether the user intended a persistent subscription action. Broad activation phrases increase the chance of accidental state changes and user surprise.

Vague Triggers

Medium
Confidence
91% confidence
Finding
A generic "订阅" trigger is especially risky in the keyword-tracking context because it can lead into monitoring of user-specified topics, which may reveal interests or sensitive subjects. Without clear activation constraints and confirmation, the skill may create persistent tracking subscriptions the user did not intend.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises recurring push subscriptions but does not clearly disclose persistence, notification frequency, retention of subscription state, or cancellation expectations at the point of enrollment. This can cause users to unknowingly authorize ongoing notifications and data/state retention beyond the immediate interaction.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template explicitly instructs the agent to save a JSON file and automatically invoke a Python script after responding, without warning the user about these system-affecting operations. Hidden execution and file writes violate user expectations and create a pathway for unintended side effects, especially if report contents can include untrusted data that later reaches downstream tooling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal