ClawHub
Back to skill

Security audit

androidiconmaker

Security checks across malware telemetry and agentic risk

Overview

This appears to be a straightforward Android app icon generation skill, with only minor ambiguity around broad trigger phrases.

Install if you want an image-to-Android-app-icon helper. Be aware that broad icon-related phrases may invoke it when you intended a different image task, so review generated files before using them in a project.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes broad natural-language phrases such as "做个图标吧" and "make this an app icon," which are plausible in ordinary conversation and can cause unintended skill activation when a user is discussing icons rather than explicitly invoking the tool. In an agent environment, accidental activation can lead to processing the wrong attachment or performing unintended file-generation actions, especially because the skill is designed to operate directly on user-supplied images.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes broad phrases like “做个图标吧”, which can match generic image-editing requests rather than a clear request to generate Android app icons. This can cause the skill to activate outside its intended scope and process user files unexpectedly, increasing the chance of incorrect actions or confusion in multi-skill environments.

Vague Triggers

Low
Confidence
76% confidence
Finding
Using open-ended wording like “等” / “etc.” makes the invocation boundary unclear, so similar but unintended requests may trigger the skill. In an agent setting, ambiguous routing weakens predictability and may cause this skill to run when a different image-processing action was intended.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal