ClawHub

OPC智脑|一人创业者的全栈创业诊断专家

Security checks across malware telemetry and agentic risk

Overview

This is a coherent startup-advice skill, but it needs review because its installers can overwrite project agent files and optionally delete source files, and its feedback flow stores and repurposes user data.

Review before installing. Use it only in a backed-up project directory, inspect existing AGENTS.md or IDE instruction files first, avoid running installer scripts with sudo, decline source-directory cleanup unless the path is disposable, and do not provide sensitive business details unless you are comfortable with local report and feedback retention.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (56)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The installer offers to recursively delete the entire source directory with `rm -rf "$OPC_SKILLS_DIR"` based on a weak safety check that only compares it against the current working directory. That behavior is broader than necessary for installing a skill and can cause unintended data loss if the package is unpacked in a shared or important location, especially since `SOURCE_DIR` is script-location derived rather than constrained to a dedicated temp directory.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The script performs extensive filesystem writes into an arbitrary target project and also offers deletion of the entire source directory via `rm -rf`. That behavior materially exceeds a startup-advisory skill’s stated purpose and creates risk of destructive changes or accidental data loss if a user runs it in the wrong location.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This file installs AGENTS.md and skill content into another project and modifies `.codebuddy` state, which is unrelated to the advertised role of a创业诊断/planning assistant. Even if intended as convenience tooling, bundling deployment behavior into a non-installation skill increases the chance users will execute privileged project modifications they did not expect.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The installer copies multiple agent and skill artifacts into a target project, which is a broad file-system modification capability beyond the narrow business purpose implied by a 'diagnostic expert' skill. While this looks like a packaging/installation utility rather than overtly malicious behavior, it increases supply-chain risk because a user may run it expecting only advisory functionality, yet it silently installs executable/configuration assets that can alter agent behavior in the destination environment.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script accepts a user-supplied target path and recursively writes files and directories there without containment checks, overwrite prompts, or path policy restrictions. If invoked with an unintended or sensitive path, it can overwrite existing project metadata or place agent/skill files into arbitrary locations, making this a real integrity risk even if the author likely intended convenience rather than abuse.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The installer offers to delete its own source directory with `rm -rf "$SOURCE_DIR"` after installation, which is unrelated to the advertised entrepreneurship-diagnosis functionality and can remove files outside the target project. Even though it is gated by a prompt, destructive cleanup in an installer increases the risk of accidental data loss and is especially dangerous if the skill bundle was unpacked into a broader directory the user cares about.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script contains a recursive delete capability (`rm -rf "$SOURCE_DIR"`) that can erase the entire installation source tree. Because `SOURCE_DIR` is derived from the script location rather than a purpose-built temp directory, a user running the installer from an unexpected location could lose substantial local content; the capability is unjustified for a normal skill installer.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill goes beyond collecting feedback and directs the agent to retain detailed user responses and repurpose them for product optimization, pricing strategy, and public promotion. That expands the scope of data use without clear user notice or consent, creating privacy and secondary-use risk even if the original intent is business improvement.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The manifest describes a feedback module, but the body requires filesystem persistence, per-day directories, and overwrite-based summary generation as mandatory behavior. This mismatch hides material data-handling behavior from the top-level description and can cause operators or users to underestimate how much information is being stored and processed.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The module instructs the agent to build per-user/project feedback analyses and derive persistent '用户画像分析' beyond the core purpose of delivering a startup diagnosis. This expands data use from service improvement into profiling, increasing privacy risk and creating secondary uses of user data that are not necessary for the skill's stated function.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill explicitly says positive feedback may be reused for product promotion and public sharing after desensitization, which is a secondary use unrelated to diagnostic delivery. Reusing user feedback as marketing material without explicit upfront consent creates privacy, expectation, and misuse risks even if the content is partially anonymized.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The greeting-based activation rule is overly broad because it forces a fixed onboarding flow on common inputs like 'hi' or an empty message. In practice, this can cause unintended prompt capture, interfere with user intent, and make downstream skill execution occur without clear consent or sufficient context, which is a prompt-safety and UX control weakness.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger keywords are broad and lack scope constraints, so ordinary conversation or loosely related terms may dispatch the wrong skill. This increases the risk of misrouting, over-collection of information, or bypassing intended stage checks, especially in a multi-skill orchestration setup where routing controls behavior.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The file describes automatic report export and saving to a local folder without a clear user-facing warning about file creation. Even if not directly executable here, normalizing silent persistence can surprise users, expose sensitive business information on disk, and weaken informed consent around data handling.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The skill mandates automatic activation on very broad triggers such as first open, empty message, or simple greetings. In agent environments, overly eager trigger conditions can cause unsolicited prompting, context capture, or workflow hijacking before the user has clearly requested this skill, increasing the risk of misrouting sensitive conversations. The entrepreneurship context makes this less severe than a high-privilege system automation skill, but it is still dangerous because it can override user intent and activate in unrelated sessions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The keyword-based trigger list is broad and lacks scope constraints, disambiguation rules, or exclusions. In a multi-skill or shared assistant environment, generic terms like '想法', '定价', or '增长' can accidentally route unrelated requests into this skill, causing inappropriate data collection, misleading advice, or suppression of a more suitable tool. The business-advisory context reduces impact compared with system or financial automation, but unintended invocation remains a real prompt-routing risk.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger keyword list includes broad, everyday terms such as “想法”, “点子”, and “MVP”, which can cause the skill to activate in unrelated conversations. In an agent environment, overbroad activation increases the chance of prompt/context hijacking, accidental policy bypass, or unintended workflow execution when the user did not mean to invoke this skill.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The troubleshooting guide recommends privileged and permission-changing commands such as 'sudo bash install-prompt.sh' and 'chmod -R 755 /path/to/project' without an explicit warning about their system-wide or recursive effects. In a skill-installation context, users may copy-paste these commands directly, which can over-broaden permissions or execute an unreviewed script with elevated privileges.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The guide includes file-replacing commands such as moving directories into place and overwriting AGENTS.md via conversion pipelines, but does not prominently warn about overwriting existing files or losing local customizations. In an IDE skill setup guide, this is risky because users are likely to execute the commands as written during troubleshooting, potentially damaging their workspace configuration.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The documented auto-trigger for Skill1 relies on broad keywords like “想法” and “可行性”, which are common in ordinary entrepreneurial discussion. In an agent setting, this can cause unintended routing into a diagnostic workflow, leading to irrelevant data collection, mistaken stage classification, or advice being applied outside the user’s intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The MVP trigger conditions use generic terms such as “MVP”, “产品设计”, and “功能裁剪” without boundaries, making accidental activation likely during normal product discussions. Misrouting can produce inappropriate outputs, overwrite conversational context, or push the user into the wrong workflow stage.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The compliance skill is triggered by broad terms like “合规” and “财税”, which are highly generic and may appear in many unrelated conversations. In this context, accidental activation is more concerning because the skill provides procedural business and tax guidance, so a misfire could surface authoritative-seeming compliance advice when the user did not request it.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The cold-start acquisition skill is keyed off broad marketing terms such as “获客”, “冷启动”, and “定价”, which can occur in general discussion without an actual request to invoke the workflow. This creates a risk of unsolicited business strategy generation and stage misclassification, reducing reliability and potentially steering users incorrectly.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The scale-up skill uses high-frequency business words like “规模化”, “增长引擎”, “自动化”, and “复购” without exclusion criteria, so benign conversation may trigger advanced growth-planning behavior. In a multi-skill agent, this can cause incorrect workflow selection and overconfident strategic recommendations that do not fit the user’s stage or needs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly recommends storing user information across conversations and using memory features, but it provides no guidance on consent, data minimization, retention limits, access controls, or handling of sensitive business information. In a startup-diagnosis bot, users may share company plans, legal/compliance details, and other sensitive data, so persistent storage without privacy guardrails can lead to unnecessary retention and disclosure risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal