ClawHub

Welfare Guide

Security checks across malware telemetry and agentic risk

Overview

This Korean welfare-benefits guide is purpose-aligned and disclosed, with only ordinary caution needed around broad triggers, personal eligibility details, API keys, and any future helper scripts.

Install this if you want a Korean welfare-benefits assistant. Confirm the conversation is actually about benefits before providing personal details, keep the data.go.kr key limited to the needed APIs, and inspect any helper shell scripts before allowing them to run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest advertises many broad trigger phrases such as '지원금', '복지', and '혜택', which are common in ordinary conversation and can cause the skill to activate outside narrowly intended contexts. Over-broad activation can route unrelated user queries into this skill, increasing unintended data collection, confusing responses, and the chance that other higher-priority instructions are displaced.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The benefit_search intent includes broad conversational triggers such as '지원금 뭐 있어?' and '나 해당 돼?' that can easily appear in ordinary discussion, making accidental routing likely. In a welfare skill, unintended invocation can cause unnecessary collection of sensitive profile details like age, region, household composition, or income context, even if it does not directly execute harmful actions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The childcare intent uses vague language like '아이 키우면' that may match normal parenting conversation rather than an explicit request for welfare guidance. Because this skill is designed to provide government-benefit guidance, a false activation could steer the user into disclosing child age or family circumstances without a clear request for that processing.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The birth_support intent contains ambiguous phrases such as '출산하면' that lack clear scope and may trigger on casual discussion about childbirth rather than requests for assistance programs. In this context, misrouting is more concerning because it can lead to location-specific benefit guidance and prompt collection of regional or family information under a mistaken assumption of user intent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The youth_support intent includes broad triggers like '청년 지원' and '청년 혜택', which are semantically wide and may capture casual or policy-related conversation that is not a request for personalized benefit assistance. In a benefits skill, this can cause unintentional routing into advice flows that may solicit age, employment, or financial context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal