ClawHub

pcs转储

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about moving PCS data into EBP, but it can automatically import operational data into another system without built-in review safeguards.

Install only if you are authorized to transfer PCS data into EBP. Test against non-production data first, inspect the generated Excel file, add a human approval step before upload, and avoid cron scheduling until duplicate prevention, logging, monitoring, and recovery procedures are in place.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list is broad and generic enough that the skill may be invoked in loosely related contexts such as general RPA, PCS, or EPBP conversations, increasing the chance of unintended execution. In this skill, accidental invocation is more dangerous because it performs automated data extraction, file generation, and import into another system, which could cause unauthorized data movement or integrity issues.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documentation describes automated scraping, Excel export, system import, and cron-based scheduled execution without a prominent warning about data sensitivity, authorization requirements, or the risk of unattended transfers. This is dangerous because users may deploy it as routine automation without understanding that it can move operational data between systems and repeatedly perform imports, potentially causing data leakage, duplication, or unauthorized actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal