ClawHub

Formula Decoder

Security checks across malware telemetry and agentic risk

Overview

This is a Chinese-language math and physics formula explanation skill with broad triggers, but no evidence of unsafe access, persistence, or hidden behavior.

Install this if you want a Chinese-oriented helper for understanding formulas and math or physics concepts. Be aware it may activate on broad educational phrases and may answer in Chinese unless you explicitly ask for another language.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger conditions are broad and cover many generic math/physics education requests, which can cause the skill to auto-activate outside a narrowly intended scope. This creates a prompt-routing and overreach risk: users may be forced into this skill's rigid behavior when they wanted a normal answer, reducing user control and increasing the chance that the skill overrides better-suited system behavior.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill is written to operate in Chinese throughout and does not provide a user language negotiation mechanism. In a multilingual environment, this can cause accessibility and usability failures, and may lead users to misunderstand technical explanations, especially for mathematical or physical concepts where precision matters.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad conceptual terms such as '公式理解', '深度解析', and '概念可视化', which can match many ordinary math, physics, or explanation requests outside a tightly scoped skill boundary. This increases unintended invocation and prompt-routing overlap, making the skill easier to activate in contexts the user did not specifically intend, though the skill itself appears educational rather than overtly malicious.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal