ClawHub

GoGlobal

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed VPS/proxy setup assistant, but it asks for live server-control keys and guides privileged server changes, so users should review it carefully before installing.

Install only if you are comfortable giving the agent conversation access to a live VPS control key and following links that execute root-level actions on your server. Use a fresh VPS with no important data, verify the provider and GitHub project yourself, change the 3x-ui password, regenerate the KiwiVM API key after setup, and consider local/manual setup if you do not want credentials or server logs in chat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The prompt explicitly claims it will not help users hide malicious traffic or evade controls, but the rest of the workflow provisions a VLESS/REALITY proxy stack intended to make blocked AI services reachable from a censored environment. That contradiction matters because the practical effect is censorship circumvention and traffic obfuscation, despite the policy disclaimer.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This is a detailed operational playbook for installing 3x-ui, configuring proxy inbounds, generating share links, and onboarding clients across platforms. That goes well beyond benign AI availability help and creates a reusable general-purpose circumvention service that could be used for evasion, anonymous traffic relay, or access to blocked services unrelated to AI.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The description frames the skill as a simple AI onboarding assistant, but the actual behavior is a sensitive server-control workflow involving API-based VPS management, remote command execution, OS reinstall, firewall changes, and credential handling. This mismatch increases user trust while hiding the true risk profile of the skill.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation phrases are broad, natural-language commands without clear boundaries, confirmations, or exclusions, which increases the chance of accidental or contextually unintended invocation. In this skill, unintended activation is more dangerous than usual because the described workflow can drive sensitive infrastructure actions such as using a VPS control key, installing a management panel, opening ports, and modifying server state.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The activation guidance uses very generic phrases such as “帮我安装出海通” and especially “出海通开始”, which can plausibly appear in ordinary support or follow-up conversation and trigger the skill unintentionally. In this skill’s context, accidental activation is more dangerous than usual because the workflow leads users into infrastructure purchase, server administration, proxy deployment, and handling VPS control credentials.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill asks users to paste a CSV containing a live KiwiVM API key and then uses that credential to generate privileged control links. Even though it warns later about not sharing the key, the collection step normalizes disclosure of a server-control secret into the conversation and materially increases the chance of credential leakage or misuse.

Ssd 3

High
Confidence
97% confidence
Finding
The prompt repeatedly instructs users to paste full CSV and API outputs that may contain API keys, service metadata, usernames, passwords, and operational state. That creates a direct channel for sensitive credential material to enter the model context, after which it is processed and used to drive further privileged actions.

Ssd 4

High
Confidence
98% confidence
Finding
The workflow is designed to build user trust step by step and then elicit increasingly sensitive artifacts: CSV exports, control-link responses, installation logs, and panel credentials, culminating in server-control actions and client proxy setup. In context, that makes the skill more dangerous because the social-engineering aspect is embedded into a seemingly helpful guided assistant.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal