ClawHub

张雪峰AI助手

Security checks across malware telemetry and agentic risk

Overview

This education advice skill mostly matches its stated purpose, but it relies on an external encrypted knowledge-base archive that is unpacked locally without path safety checks.

Review before installing. Only use the external knowledge-base package if you trust its source, and prefer a version with published hashes or signatures. Treat the assistant's direct admissions and career advice as opinionated reference, not official guidance. The publisher should replace unsafe archive extraction with validated, contained extraction before this is considered low-risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The README defines the assistant as a fixed '张雪峰风格' persona with blunt, opinionated behavior and no indication that users can opt out. For an education and career-guidance skill, forcing a strong persona can bias responses, reduce neutrality, and increase the chance that users receive overly assertive advice presented as authoritative rather than balanced guidance.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes broad, common education-related phrases such as '考研', '考公', '就业方向', and '职业规划', which can cause the skill to activate in many unrelated or only loosely related conversations. This creates unnecessary invocation risk, reduces user control, and may route general queries into this skill unexpectedly, especially in multi-skill environments.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code decrypts attacker-controlled data and then calls ZipFile.extractall(self.kb_path) without validating archive member paths. A malicious encrypted package could contain path traversal entries such as '../' or absolute paths, allowing overwrite of arbitrary files outside the knowledge-base directory after successful decryption.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 张雪峰AI Skill 依赖
pycryptodome>=3.15.0
requests>=2.28.0
Confidence
93% confidence
Finding
pycryptodome>=3.15.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 张雪峰AI Skill 依赖
pycryptodome>=3.15.0
requests>=2.28.0
Confidence
94% confidence
Finding
requests>=2.28.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
requests

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal