ClawHub

TencentCloud Text AIGC Detection

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Tencent Cloud AI-text detection skill, but users should understand that checked text is sent to Tencent Cloud.

Install this only if you are comfortable using Tencent Cloud credentials and sending checked text to Tencent Cloud for processing. Avoid submitting confidential, regulated, or proprietary text unless your data-handling rules allow it, and prefer least-privilege or temporary credentials where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger conditions are broad and include common phrases such as asking whether text is AI-written, which could cause the skill to activate in contexts where the user did not intend an external Tencent Cloud scan. Because activation can lead to file reads or transmission of text to a third-party service, unintended invocation has privacy and cost implications.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill description explains analysis features but does not clearly warn that submitted text or file contents will be transmitted to Tencent Cloud for processing. This is dangerous because users may provide sensitive, proprietary, or regulated content without informed consent, resulting in unintended third-party disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs callers to submit arbitrary text content and optional User/Device identifiers to Tencent Cloud, but it does not warn that this sends potentially sensitive data to an external third-party service. In an agent skill context, this omission can cause unintentional data exfiltration of private user text, IPs, device IDs, or other identifiers because integrators may treat the API call as routine processing rather than external sharing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Python example demonstrates encoding text and sending it, along with cloud credentials, to a remote Tencent API without any warning about outbound data transfer, secret handling, or safe-use constraints. In practice, examples are often copied verbatim, so this increases the chance that developers will transmit sensitive content or mishandle credentials without realizing the privacy and security implications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill transmits user-supplied text to Tencent Cloud’s remote moderation API, but the CLI does not give an explicit user-facing notice or confirmation at the point of submission. This can cause unintended disclosure of sensitive, proprietary, or regulated text because users may assume analysis happens locally when in fact the full content is sent to a third party.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal