ClawHub

王小波风格写作助手

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only writing-style skill with some broad trigger wording but no hidden execution, data access, persistence, or destructive behavior.

Install this if you want a Chinese Wang Xiaobo-style writing assistant. Be aware that its triggers are broad, so for ordinary editing or non-Chinese writing you may need to explicitly say not to apply that style or language.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list is very broad and includes generic writing-related phrases such as popular science, humorous prose, logical deduction, and Chinese essay style. This can cause the skill to activate for ordinary writing requests where the user did not explicitly ask for Wang Xiaobo-style transformation, leading to unintended behavior override and style hijacking.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation conditions include broad goals like making text engaging, accessible, rigorous, or humorous, which are common across many normal writing tasks. Without clear boundaries or user confirmation, the skill may inappropriately engage and steer output into a specific literary voice, reducing user control and potentially conflicting with the requested task.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill description frames the tool as operating on Chinese-language writing tasks and Chinese trigger terms without an explicit user opt-in for language preference. In a multi-language environment, this can cause unwanted language switching or constrain output language based on skill metadata rather than the user's actual request.

VirusTotal

33/33 vendors flagged this skill as clean.

View on VirusTotal